QwikSec

Security Database

CVE

CWE

Training

CVE-2018-6345

Published: Jan 15, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).

Vendor	Product	Versions
Facebook	HHVM	affected `3.30.2` affected `3.30.0 - < unspecified` affected `3.27.6` affected `unspecified - < 3.27.6`

Weaknesses (CWE)

References

https://github.com/facebook/hhvm/commit/190ffdf6c8b1ec443be202c7d69e63a7e3da25e3

x_refsource_MISC

https://hhvm.com/blog/2019/01/14/hhvm-3.30.2.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.