Skip to main content

Hhvm CVE-2018-6332

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2018-12-03 cve-assign@fb.com
5.9
CVSS 3.1 · Vendor: fb
Share

Severity by source

Vendor (fb) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (fb) · only source for this CVE.

CVSS VectorVendor: fb

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 03, 2018 - 14:29 cve.org
MEDIUM 5.9

DescriptionCVE.org

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests.

AnalysisAI

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests. Affected products include: Facebook Hhvm.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

More in Hhvm

View all
CVE-2016-6870 CRITICAL
9.8 Feb 17

Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM

CVE-2016-6875 CRITICAL
9.8 Feb 17

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vector

CVE-2016-6874 CRITICAL
9.8 Feb 17

The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown v

CVE-2016-6873 CRITICAL
9.8 Feb 17

Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors

CVE-2016-6872 CRITICAL
9.8 Feb 17

Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via u

CVE-2016-6871 CRITICAL
9.8 Feb 17

Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vector

CVE-2021-24036 CRITICAL
9.8 Jul 23

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds wri

CVE-2021-24025 CRITICAL
9.8 Mar 10

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function ca

CVE-2019-11936 CRITICAL
9.8 Dec 04

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input.30.12, all ve

CVE-2019-11935 CRITICAL
9.8 Dec 04

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory.30.12, al

CVE-2019-11930 CRITICAL
9.8 Dec 04

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution.30.

CVE-2019-11929 CRITICAL
9.8 Oct 02

Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory,

Share

CVE-2018-6332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy