CVE-2020-1899 is a vulnerability in Facebook Hhvm
Published on March 11, 2021
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Weakness Type
Untrusted Pointer Dereference
The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
Products Associated with CVE-2020-1899
Want to know whenever a new CVE is published for Facebook Hhvm? stack.watch will email you.
Affected Versions
Facebook HHVM:- Version 4.62.1 and below unspecified is unaffected.
- Version 4.62.0 is affected.
- Version 4.61.1 and below unspecified is unaffected.
- Version 4.61.0 is affected.
- Version 4.60.1 and below unspecified is unaffected.
- Version 4.60.0 is affected.
- Version 4.59.1 and below unspecified is unaffected.
- Version 4.59.0 is affected.
- Version 4.58.2 and below unspecified is unaffected.
- Version 4.58.0 and below unspecified is affected.
- Version 4.57.1 and below unspecified is unaffected.
- Version 4.57.0 is affected.
- Version 4.56.1 and below unspecified is unaffected.
- Version 4.33.0 and below unspecified is affected.
- Version 4.32.3 and below unspecified is unaffected.
- Version unspecified and below 4.32.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.