VDB
CVE-2019-3556
CVE-2019-3556
PUBLISHED
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.
EPSS 1.67% · 82.5th percentile
Risk Scores
EPSS Score
1.67%
82.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | hhvm | 0, 3.11.0+dfsg-1, 3.11.1+dfsg-1 |
| Ubuntu:18.04:LTS | hhvm | *, 0, * |
Exploit Intelligence
Timeline
- Oct 26, 2021 CVE Published
- Oct 27, 2021 EPSS Score
- Dec 22, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 13, 2022 EPSS Score
- Jun 8, 2022 EPSS Score
- Aug 4, 2022 EPSS Score
- Sep 29, 2022 EPSS Score
- Nov 24, 2022 EPSS Score
- Jan 19, 2023 EPSS Score
- Mar 16, 2023 EPSS Score
- May 11, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-3556 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-3556 third-party-advisory