CVE-2020-1892
Summary
| CVE | CVE-2020-1892 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-03 15:15:00 UTC |
| Updated | 2020-03-05 20:28:00 UTC |
| Description | Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. |
Risk And Classification
Problem Types: CWE-125
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Update | HHVM | CONFIRM | hhvm.com | Vendor Advisory |
| Fix a json_decode crash when depth==0 · facebook/hhvm@dabd48c · GitHub | CONFIRM | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.