CVE-2019-3569

HIGH

Facebook Hhvm < 3.30.5 - Information Disclosure

Title source: rule

Description

HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

References (2)

[Patch, Third Party Advisory] https://github.com/facebook/hhvm/commit/97ef580ec2cca9a54da6f9bd9fdd9a455f6d74ed

View Patch ZIP pw:eip

[Release Notes, Vendor Advisory] https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html

Scores

CVSS v3 7.5

EPSS 0.0037

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-552 CWE-668

Status published

Affected Products (14)

facebook/hhvm < 3.30.5

facebook/hhvm

Timeline

Published Jun 26, 2019

Tracked Since Feb 18, 2026