Security Advisory

CVE-2020-1899

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-03-11 00:55:19

Last updated 2024-08-04 06:53:59

Assigner facebook

State PUBLISHED

Description

The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

← Browse all CVEs View on cve.org ↗