| Vulnerability Name: | CVE-2021-24036 (CCN-206248) |
| Assigned: | 2021-07-22 |
| Published: | 2021-07-22 |
| Updated: | 2022-10-26 |
| Summary: | Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.
|
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
|
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial |
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-190
|
| Vulnerability Consequences: | Gain Access |
| References: | Source: MITRE
Type: CNA
CVE-2021-24036
Source: XF
Type: UNKNOWN
facebook-cve202124036-code-exec(206248)
Source: MISC
Type: Patch, Third Party Advisory
https://github.com/facebook/folly/commit/4f304af1411e68851bdd00ef6140e9de4616f7d3
Source: CONFIRM
Type: Product, Vendor Advisory
https://hhvm.com/blog/2021/07/20/security-update.html
Source: CCN
Type: Facebook Web site
CVE-2021-24036
Source: CONFIRM
Type: Vendor Advisory
https://www.facebook.com/security/advisories/cve-2021-24036
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-24036
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:facebook:hhvm:*:*:*:*:*:*:*:* (Version >= 4.81.0 and <= 4.102.1)OR cpe:/a:facebook:hhvm:4.115.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.116.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.117.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:*:*:*:*:*:*:*:* (Version < 4.80.5)OR cpe:/a:facebook:hhvm:*:*:*:*:*:*:*:* (Version >= 4.103.0 and <= 4.113.0)OR cpe:/a:facebook:hhvm:4.114.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.118.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.118.1:*:*:*:*:*:*:*OR cpe:/a:facebook:folly:*:*:*:*:*:*:*:* (Version < 2021.07.22.00)
Configuration CCN 1:
cpe:/a:facebook:hhvm:4.81.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.118.1:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.80.5:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.103.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.113.0:*:*:*:*:*:*:*OR cpe:/a:facebook:hhvm:4.114.0:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| BACK |