Candidate: CVE-2020-1899
PublicDate: 2021-03-11 01:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1899
 https://github.com/facebook/hhvm/commit/1107228a5128d3ca1c4add8ac1635d933cbbe2e9
 https://hhvm.com/blog/2020/06/30/security-update.html
Description:
 The unserialize() function supported a type code, "S", which was meant to
 be supported only for APC serialization. This type code allowed arbitrary
 memory addresses to be accessed as if they were static StringData objects.
 This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and
 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_hhvm:
upstream_hhvm: needs-triage
precise/esm_hhvm: DNE
trusty_hhvm: ignored (out of standard support)
trusty/esm_hhvm: DNE
xenial_hhvm: ignored (end of standard support, was needs-triage)
bionic_hhvm: needs-triage
focal_hhvm: DNE
groovy_hhvm: DNE
hirsute_hhvm: DNE
impish_hhvm: DNE
jammy_hhvm: DNE
devel_hhvm: DNE