Overview
- Description
- HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
- Source
- cve-assign@fb.com
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "91487128-B88B-4E14-B1EB-D034775108B7",
"versionEndExcluding": "4.153.4"
},
{
"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AFEBC2B2-0FDF-46EB-80B0-F1E8ED6CE459",
"versionEndExcluding": "4.168.2",
"versionStartIncluding": "4.154.0"
},
{
"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DB8AEBFD-04EE-419A-A080-0B123FDFEF78",
"versionEndExcluding": "4.169.2",
"versionStartIncluding": "4.169.0"
},
{
"criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "47EC3B3C-6874-4F23-A906-52B13EE7DD9F",
"versionEndExcluding": "4.170.2",
"versionStartIncluding": "4.170.0"
},
{
"criteria": "cpe:2.3:a:facebook:hhvm:4.171.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BDC50CD5-5AF7-4331-810C-D489A4FF3FF9"
},
{
"criteria": "cpe:2.3:a:facebook:hhvm:4.172.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "89209682-1753-4B6B-8AF4-E7701F493C59"
}
],
"operator": "OR"
}
]
}
]