CVE-2016-1000109

EUVD-2016-1054

19.02.2020, 13:15

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Affected Products (NVD)

Vendor	Product	Version
facebook	hhvm	𝑥 < 3.9.6
facebook	hhvm	3.10.0 ≤ 𝑥 ≤ 3.12.4
facebook	hhvm	3.13.0 ≤ 𝑥 ≤ 3.14.2

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

hhvm

artful	not-affected
bionic	not-affected
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
mantic	dne
noble	dne
precise	dne
trusty	dne
xenial	needed
yakkety	dne
zesty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-665 - Improper Initialization
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

References

https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25

https://httpoxy.org/

https://www.facebook.com/security/advisories/cve-2016-1000109

https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25

https://httpoxy.org/

https://www.facebook.com/security/advisories/cve-2016-1000109