CVE-2022-36937
published 2023-05-10CVE-2022-36937: HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.5th percentile
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.
Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hhvm | < 4.153.4 | 4.153.4 | |
| hhvm | — | — | |
| hhvm | — | — | |
| hhvm | >= 4.154.0 < 1.168.2 | 1.168.2 | |
| hhvm | >= 4.154.0 < 4.168.2 | 4.168.2 | |
| hhvm | >= 4.169.0 < 4.169.2 | 4.169.2 | |
| hhvm | >= 4.170.0 < 4.170.2 | 4.170.2 | |
| hhvm | >= 4.171.0 < 4.171.1 | 4.171.1 | |
| hhvm | >= 4.172.0 < 4.172.1 | 4.172.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3qf-gc58-29p6: HHVM 4
ghsa_unreviewed·2023-05-10
CVE-2022-36937 [CRITICAL] CWE-1104 GHSA-f3qf-gc58-29p6: HHVM 4
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.
Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
OSV
CVE-2022-36937: HHVM 4
osv·2023-05-10·CVSS 9.8
CVE-2022-36937 [CRITICAL] CVE-2022-36937: HHVM 4
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-05-10
Published