Folly
CVE-2018-6337
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (fb) · only source for this CVE.
CVSS VectorVendor: fb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
AnalysisAI
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-212. folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00. Affected products include: Facebook Folly, Facebook Hhvm. Version information: prior to 3.26.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds wri
Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket.11.04.00. Rated critical
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today