Vulnerabilities > Facebook > Hhvm > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-26 | CVE-2019-3556 | Path Traversal vulnerability in Facebook Hhvm HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. | 5.5 |
| 2021-03-11 | CVE-2020-1899 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Facebook Hhvm The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. | 5.0 |
| 2021-03-11 | CVE-2020-1898 | Uncontrolled Recursion vulnerability in Facebook Hhvm The fb_unserialize function did not impose a depth limit for nested deserialization. | 5.0 |
| 2021-03-10 | CVE-2020-1921 | Out-of-bounds Write vulnerability in Facebook Hhvm In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer. | 5.0 |
| 2021-03-10 | CVE-2020-1919 | Out-of-bounds Read vulnerability in Facebook Hhvm Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. | 5.0 |
| 2021-03-10 | CVE-2020-1918 | Out-of-bounds Read vulnerability in Facebook Hhvm In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer. | 5.0 |
| 2020-03-03 | CVE-2020-1893 | Out-of-bounds Read vulnerability in Facebook Hhvm Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. | 5.0 |
| 2020-03-03 | CVE-2020-1892 | Out-of-bounds Read vulnerability in Facebook Hhvm Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. | 6.4 |
| 2020-03-03 | CVE-2020-1888 | Out-of-bounds Read vulnerability in Facebook Hhvm Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. | 5.0 |
| 2020-02-19 | CVE-2016-1000109 | Improper Initialization vulnerability in Facebook Hhvm HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | 5.0 |