Vulnerability Name:

CVE-2014-1439 (CCN-90979)

Assigned:2014-02-01
Published:2014-02-01
Updated:2017-08-29
Summary:The libxml_disable_entity_loader function in runtime/ext/ext_simplexml.cpp in HipHop Virtual Machine for PHP (HHVM) before 2.4.0 and 2.3.x before 2.3.3 does not properly disable a certain libxml handler, which allows remote attackers to conduct XML External Entity (XXE) attacks.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2014-1439

Source: CCN
Type: HipHop Virtual Machine Web site
HipHop Virtual Machine for PHP

Source: CONFIRM
Type: Vendor Advisory
http://www.hhvm.com/blog/3287/hhvm-2-4-0

Source: CCN
Type: BID-65479
HipHop Virtual Machine 'ext_simplexml.cpp' XML External Entity Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
hhvm-cve20141439-info-disc(90979)

Source: XF
Type: UNKNOWN
hhvm-cve20141439-info-disc(90979)

Source: CONFIRM
Type: UNKNOWN
https://github.com/facebook/hhvm/commit/95f96e7287effe2fcdfb9a5338d1a7e4f55b083b

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-1439

Vulnerable Configuration:Configuration 1:
  • cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:*:*:*:*:*:*:*:* (Version <= 2.3.2)

    • Configuration CCN 1:
  • cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.1
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.2
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.1.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.2.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.3.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.3.1
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php *
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.3.2
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.3.1
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.3.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.2.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.1.0
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.2
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.1
    hiphop_virtual_machine_for_php_project hiphop virtual machine for php 2.0.0