CVE-2019-3556 : HHVM supports the use of an "admin" server which accepts administrative requests

HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.

Published 2021-10-26 20:15:08

Updated 2021-10-29 16:38:51

Source Facebook, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2019-3556

Facebook » Hhvm
Versions before (<) 4.56.2
cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm
Versions from including (>=) 4.57.0 and up to, including, (<=) 4.78.0
cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm » Version: 4.79.0
cpe:2.3:a:facebook:hhvm:4.79.0:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm » Version: 4.80.0
cpe:2.3:a:facebook:hhvm:4.80.0:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm » Version: 4.81.0
cpe:2.3:a:facebook:hhvm:4.81.0:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm » Version: 4.82.0
cpe:2.3:a:facebook:hhvm:4.82.0:*:*:*:*:*:*:*
Matching versions
Facebook » Hhvm » Version: 4.83.0
cpe:2.3:a:facebook:hhvm:4.83.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-3556

EPSS FAQ

1.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-3556

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2019-3556

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- cve-assign@fb.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2019-3556

https://www.facebook.com/security/advisories/cve-2019-3556

Page Not Found | Facebook
Broken Link
https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4

security fixes · facebook/hhvm@abe0b29 · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://hhvm.com/blog/2020/11/12/security-update.html

Security Update | HHVM
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-3556

Products affected by CVE-2019-3556

Exploit prediction scoring system (EPSS) score for CVE-2019-3556

CVSS scores for CVE-2019-3556

CWE ids for CVE-2019-3556

References for CVE-2019-3556