CVE-2020-1917

xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function. As a result, if the buffer was full, it would result in an out-of-bounds write. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44ca	Patch Third Party Advisory
https://hhvm.com/blog/2021/02/25/security-update.html	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:facebook:hhvm::::::::
	cpe:2.3:a:facebook:hhvm::::::::
	cpe:2.3:a:facebook:hhvm::::::::
	cpe:2.3:a:facebook:hhvm:4.94.0:::::::*
	cpe:2.3:a:facebook:hhvm:4.95.0:::::::*
	cpe:2.3:a:facebook:hhvm:4.96.0:::::::*
	cpe:2.3:a:facebook:hhvm:4.97.0:::::::*
	cpe:2.3:a:facebook:hhvm:4.98.0:::::::*

History

No history.

Information

Published : 2021-03-10 16:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-1917

Mitre link : CVE-2020-1917

CVE.ORG link : CVE-2020-1917

JSON object : View

Products Affected

facebook

hhvm

CWE

CWE-787

Out-of-bounds Write

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2020-1917", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-03-10T16:15:14.313", "references": [{"url": "https://github.com/facebook/hhvm/commit/08193b7f0cd3910256e00d599f0f3eb2519c44ca", "tags": ["Patch", "Third Party Advisory"], "source": "cve-assign@fb.com"}, {"url": "https://hhvm.com/blog/2021/02/25/security-update.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve-assign@fb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "cve-assign@fb.com", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function. As a result, if the buffer was full, it would result in an out-of-bounds write. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0."}, {"lang": "es", "value": "La funci\u00f3n xbuf_format_converter, usada como parte de exif_read_data, estaba agregando un car\u00e1cter null de terminaci\u00f3n a la cadena generada, pero no estaba usando su funci\u00f3n est\u00e1ndar append char. Como resultado, si el b\u00fafer estuviera lleno, resultar\u00eda en una escritura fuera de l\u00edmites. Este problema afecta HHVM versiones anteriores a 4.56.3, todas las versiones entre 4.57.0 y 4.80.1, todas las versiones entre 4.81.0 y 4.93.1 y las versiones 4.94.0, 4.95.0, 4.96.0, 4.97.0 , 4.98.0"}], "lastModified": "2021-03-17T19:29:32.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "069C0B7D-5233-4EFF-BBA7-8B84D9227044", "versionEndExcluding": "4.56.3"}, {"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59DAD37C-9F51-4BE3-B045-537CA259F7F7", "versionEndExcluding": "4.80.2", "versionStartIncluding": "4.57.0"}, {"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B78720F-AA79-459F-A66C-5C4D67D7EE31", "versionEndExcluding": "4.93.2", "versionStartIncluding": "4.81.0"}, {"criteria": "cpe:2.3:a:facebook:hhvm:4.94.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C4B9A3C-6A5A-45C4-A490-C13CF6D6A867"}, {"criteria": "cpe:2.3:a:facebook:hhvm:4.95.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18D33DC0-E6A7-4DC6-8E9A-2B85842EC21B"}, {"criteria": "cpe:2.3:a:facebook:hhvm:4.96.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0B9078D-3C25-45B2-B5F2-59585A47BACB"}, {"criteria": "cpe:2.3:a:facebook:hhvm:4.97.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B8F5C11-8610-4099-8A45-E6241F3D24E0"}, {"criteria": "cpe:2.3:a:facebook:hhvm:4.98.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47FF13C3-19DC-4F53-BF9D-38AC89D647D5"}], "operator": "OR"}]}], "sourceIdentifier": "cve-assign@fb.com"}