CVE-2020-1918

Summary

In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.98.1 < unspecifiedunaffected
FacebookHHVM4.98.0affected
FacebookHHVM4.97.1 < unspecifiedunaffected
FacebookHHVM4.97.0affected
FacebookHHVM4.96.1 < unspecifiedunaffected
FacebookHHVM4.96.0affected
FacebookHHVM4.95.1 < unspecifiedunaffected
FacebookHHVM4.95.0affected
FacebookHHVM4.94.1 < unspecifiedunaffected
FacebookHHVM4.94.0affected
FacebookHHVM4.93.2 < unspecifiedunaffected
FacebookHHVM4.81.0 < unspecifiedaffected
FacebookHHVM4.80.2 < unspecifiedunaffected
FacebookHHVM4.57.0 < unspecifiedaffected
FacebookHHVM4.56.3 < unspecifiedunaffected
FacebookHHVMunspecified < 4.56.3affected

Weaknesses

  • CWE-127: Buffer Under-read (CWE-127)

ADP Enrichment

CVE Program Container

Additional References

References