Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Hhvm
(Facebook)| Repositories |
• https://github.com/facebook/hhvm
• https://github.com/facebook/folly |
| #Vulnerabilities | 40 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-01-15 | CVE-2018-6345 | The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below). | Hhvm | 9.8 | ||
| 2019-10-02 | CVE-2019-11929 | Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution. This issue affects HHVM versions prior to 3.30.10, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.18.2, and versions 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0. | Hhvm | N/A | ||
| 2019-04-29 | CVE-2019-3561 | Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below). | Hhvm | 9.8 | ||
| 2019-01-15 | CVE-2019-3557 | The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were updated to return valid values consistently. This affects all supported versions of HHVM (3.30 and 3.27.4 and below). | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6875 | Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6874 | The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6873 | Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6872 | Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6871 | Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. | Hhvm | 9.8 | ||
| 2017-02-17 | CVE-2016-6870 | Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | Hhvm | 9.8 |