cbcvebase.
CVE-2022-36937
published 2023-05-10

CVE-2022-36937: HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published…

PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.5th percentile
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Affected

9 ranges
VendorProductVersion rangeFixed in
facebookhhvm< 4.153.44.153.4
facebookhhvm
facebookhhvm
facebookhhvm>= 4.154.0 < 1.168.21.168.2
facebookhhvm>= 4.154.0 < 4.168.24.168.2
facebookhhvm>= 4.169.0 < 4.169.24.169.2
facebookhhvm>= 4.170.0 < 4.170.24.170.2
facebookhhvm>= 4.171.0 < 4.171.14.171.1
facebookhhvm>= 4.172.0 < 4.172.14.172.1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.