Path Traversal in Facebook Hhvm

CVE-2019-3556

HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. Th…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.017 (82.5th percentile) — read the EPSS interpretation.

Affected products

Facebook Hhvm — versions 4.83.1, 4.83.0, 4.82.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

hhvm.com/blog/2020/11/12/security-update.html (x_refsource_CONFIRM)
github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4 (x_refsource_CONFIRM)
www.facebook.com/security/advisories/cve-2019-3556 (x_refsource_CONFIRM)