CVE-2019-11936

Summary

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.28.2affected
FacebookHHVM4.28.0 < unspecifiedaffected
FacebookHHVM4.27.1affected
FacebookHHVM4.27.0 < unspecifiedaffected
FacebookHHVM4.26.1affected
FacebookHHVM4.26.0 < unspecifiedaffected
FacebookHHVM4.25.1affected
FacebookHHVM4.25.0 < unspecifiedaffected
FacebookHHVM4.24.1affected
FacebookHHVM4.24.0 < unspecifiedaffected
FacebookHHVM4.23.2affected
FacebookHHVM4.9.0 < unspecifiedaffected
FacebookHHVM4.8.6affected
FacebookHHVM4.0.0 < unspecifiedaffected
FacebookHHVM3.30.12affected
FacebookHHVMunspecified < 3.30.12affected

Weaknesses

  • CWE-626: CWE-626: Null Byte Interaction Error (Poison Null Byte)

ADP Enrichment

CVE Program Container

Additional References

References