Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-3570

Опубликовано: 18 июл. 2019
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Низкий

Описание

Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*
Версия до 3.30.5 (включая)
cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*
Версия от 4.0.0 (включая) до 4.0.4 (включая)
cpe:2.3:a:facebook:hiphop_virtual_machine:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.6.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.7.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:hiphop_virtual_machine:4.8.0:*:*:*:*:*:*:*

EPSS

Процентиль: 69%
0.00607
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-122
CWE-787

Связанные уязвимости

ubuntu логотип

CVE-2019-3570

CVSS3: 9.8
ubuntu
больше 6 лет назад

Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

debian логотип

CVE-2019-3570

CVSS3: 9.8
debian
больше 6 лет назад

Call to the scrypt_enc() function in HHVM can lead to heap corruption ...

github логотип

GHSA-4335-6g7p-5556

github
больше 3 лет назад

Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

EPSS

Процентиль: 69%
0.00607
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-122
CWE-787