CVE-2019-11929

Summary

Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution. This issue affects HHVM versions prior to 3.30.10, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.18.2, and versions 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.24.0affected
FacebookHHVM4.23.2affected
FacebookHHVM4.23.0 < unspecifiedaffected
FacebookHHVM4.22.1affected
FacebookHHVM4.22.0 < unspecifiedaffected
FacebookHHVM4.21.1affected
FacebookHHVM4.21.0 < unspecifiedaffected
FacebookHHVM4.20.3affected
FacebookHHVM4.20.0 < unspecifiedaffected
FacebookHHVM4.19.2affected
FacebookHHVM4.19.0 < unspecifiedaffected
FacebookHHVM4.18.3affected
FacebookHHVM4.9.0 < unspecifiedaffected
FacebookHHVM4.8.5affected
FacebookHHVM4.0.0 < unspecifiedaffected
FacebookHHVM3.30.11affected
FacebookHHVMunspecified <= 3.30.10affected

Weaknesses

  • CWE-119: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

ADP Enrichment

CVE Program Container

Additional References

References