CVE-2020-1899 is a vulnerability in Facebook Hhvm
Published on March 11, 2021
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Weakness Type
Untrusted Pointer Dereference
The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
Products Associated with CVE-2020-1899
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-1899 are published in Facebook Hhvm:
Affected Versions
Facebook HHVM:- Version 4.62.1 and below unspecified is unaffected.
- Version 4.62.0 is affected.
- Version 4.61.1 and below unspecified is unaffected.
- Version 4.61.0 is affected.
- Version 4.60.1 and below unspecified is unaffected.
- Version 4.60.0 is affected.
- Version 4.59.1 and below unspecified is unaffected.
- Version 4.59.0 is affected.
- Version 4.58.2 and below unspecified is unaffected.
- Version 4.58.0 and below unspecified is affected.
- Version 4.57.1 and below unspecified is unaffected.
- Version 4.57.0 is affected.
- Version 4.56.1 and below unspecified is unaffected.
- Version 4.33.0 and below unspecified is affected.
- Version 4.32.3 and below unspecified is unaffected.
- Version unspecified and below 4.32.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.