Vulnerability Details : CVE-2019-11936
Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
Products affected by CVE-2019-11936
- cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.26.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.27.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:hhvm:4.28.1:*:*:*:*:*:*:*
Threat overview for CVE-2019-11936
Top countries where our scanners detected CVE-2019-11936
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-11936 426
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-11936!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-11936
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11936
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-11936
-
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Assigned by: cve-assign@fb.com (Secondary)
References for CVE-2019-11936
-
https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373
Prevent APC keys with nulls · facebook/hhvm@f57df6d · GitHubPatch;Third Party Advisory
-
https://hhvm.com/blog/2019/10/28/security-update.html
Security Update | HHVMVendor Advisory
-
https://www.facebook.com/security/advisories/cve-2019-11936
FacebookVendor Advisory
Jump to