CVE-2020-1898 Information

Description

The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse leading to stack exhaustion. This issue affected HHVM prior to v4.32.3 between versions 4.33.0 and 4.56.0 4.57.0 4.58.0 4.58.1 4.59.0 4.60.0 4.61.0 4.62.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c https://hhvm.com/blog/2020/06/30/security-update.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5