CVE-2020-1916

Published: Mar 10, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write. This issue affects HHVM prior to 4.56.2, all versions between 4.57.0 and 4.78.0, 4.79.0, 4.80.0, 4.81.0, 4.82.0, 4.83.0.

Affected (7)

Products: Facebook: Hhvm

1 product

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Facebook Hhvm	Before 4.56.2
Facebook Hhvm	From 4.57.0 to 4.78.1
Facebook Hhvm	Version 4.79.0
Facebook Hhvm	Version 4.80.0
Facebook Hhvm	Version 4.81.0
Facebook Hhvm	Version 4.82.0
Facebook Hhvm	Version 4.83.0

Related CWEs

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (4)

https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4

Source: cve-assign@fb.com

PatchThird Party Advisory

https://hhvm.com/blog/2020/11/12/security-update.html

Source: cve-assign@fb.com

Release NotesVendor Advisory

https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hhvm.com/blog/2020/11/12/security-update.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.