Vulnerability CVE-2014-2209

Vulnerability CVE-2014-2209

Published: 2014-12-28

Description:

Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5/10	2.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Facebook -> Hiphop virtual machine

References:

https://github.com/facebook/hhvm/commit/851fff90a9b7461df2393af32239ba217bc25946

Copyright 2024, cxsecurity.com