Home > Vulnerability Database > CVE-2020-1898

Mend.io Vulnerability Database

CVE-2020-1898

Good to know:

Date: March 10, 2021

The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

Language: C++

Severity Score

7.5

Related Resources (5)

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1898

Url: https://hhvm.com/blog/2020/06/30/security-update.html

Url: https://github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-1898

Url: https://www.mend.io/vulnerability-database/CVE-2020-1898

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version HHVM-4.32.3,HHVM-4.56.1,HHVM-4.58.2,HHVM-4.59.1,HHVM-4.60.1,HHVM-4.61.1,HHVM-4.62.1,HHVM-4.64.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-1898

Good to know:

Date: March 10, 2021

Language: C++

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?