Description
HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/facebook/hhvm/commit/97ef580ec2cca9a54da6f9bd9fdd9a455f6d74ed
Release Notes, Vendor Advisory x_refsource_misc
https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html
Scores
CVSS v3
7.5
EPSS
0.0037
EPSS Percentile
58.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-552
CWE-668
Status
published
Products (14)
facebook/hhvm
4.0.0
facebook/hhvm
4.0.1
facebook/hhvm
4.0.2
facebook/hhvm
4.0.3
facebook/hhvm
4.0.4
facebook/hhvm
4.1.0
facebook/hhvm
4.2.0
facebook/hhvm
4.3.0
facebook/hhvm
4.4.0
facebook/hhvm
4.5.0
... and 4 more
Published
Jun 26, 2019
Tracked Since
Feb 18, 2026