Candidate: CVE-2020-1898
PublicDate: 2021-03-11 01:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1898
 https://github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c
 https://hhvm.com/blog/2020/06/30/security-update.html
Description:
 The fb_unserialize function did not impose a depth limit for nested
 deserialization. That meant a maliciously constructed string could cause
 deserialization to recurse, leading to stack exhaustion. This issue
 affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0,
 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_hhvm:
upstream_hhvm: needs-triage
precise/esm_hhvm: DNE
trusty_hhvm: ignored (out of standard support)
trusty/esm_hhvm: DNE
xenial_hhvm: ignored (end of standard support, was needs-triage)
bionic_hhvm: needs-triage
focal_hhvm: DNE
groovy_hhvm: DNE
hirsute_hhvm: DNE
impish_hhvm: DNE
jammy_hhvm: DNE
devel_hhvm: DNE