CVE-2020-1888
Summary
| CVE | CVE-2020-1888 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-03 15:15:00 UTC |
| Updated | 2020-03-05 20:23:00 UTC |
| Description | Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. |
Risk And Classification
Problem Types: CWE-125
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Update | HHVM | CONFIRM | hhvm.com | Vendor Advisory |
| Fix buffer overrun in SimpleParser::handleBackslash · facebook/hhvm@b367912 · GitHub | CONFIRM | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.