CVE-2016-1000004

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-1000004

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-1000004.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-1000004

Downstream

UBUNTU-CVE-2016-1000004

Published

2020-02-19T13:15:10Z

Modified

2025-10-21T03:19:55.875367Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Insufficient type checks were employed prior to casting input data in SimpleXMLElementexportNode and simplexmlimport_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

References

Affected packages

Git / github.com/facebook/hhvm

Affected ranges

Type: GIT
Repo: https://github.com/facebook/hhvm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8e7266fef1f329b805b37f32c9ad0090215ab269

Affected versions

HPHP-2.*

HPHP-2.1.0

gcc-4.*

gcc-4.6

Other

pre-hhvm

src-hphp

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/facebook/hhvm/commit/8e7266fef1f329b805b37f32c9ad0090215ab269",
        "signature_version": "v1",
        "target": {
            "file": "hphp/runtime/ext/simplexml/ext_simplexml.cpp",
            "function": "SimpleXMLElement_exportNode"
        },
        "digest": {
            "length": 208.0,
            "function_hash": "284111172822097489879350956689906283064"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2016-1000004-7e68cc5a"
    },
    {
        "source": "https://github.com/facebook/hhvm/commit/8e7266fef1f329b805b37f32c9ad0090215ab269",
        "signature_version": "v1",
        "target": {
            "file": "hphp/runtime/ext/simplexml/ext_simplexml.cpp"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "55765914228621558646643659540904023927",
                "243835335827319018911730436790814189705",
                "79200780020579073968261204415201624069",
                "278751480322904910959016944884515555258",
                "198200089604599280099251079262852164476",
                "68225021353284281926992865200273145178",
                "40146257546414192642961160745671104275",
                "87266853421619007164937883201537336780",
                "211421453706724789124054905841163514856",
                "152257111440568270577492985775885413759"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2016-1000004-d2f0dcbc"
    },
    {
        "source": "https://github.com/facebook/hhvm/commit/8e7266fef1f329b805b37f32c9ad0090215ab269",
        "signature_version": "v1",
        "target": {
            "file": "hphp/runtime/ext/simplexml/ext_simplexml.cpp",
            "function": "HHVM_FUNCTION"
        },
        "digest": {
            "length": 831.0,
            "function_hash": "96267759177677574329934507567798237337"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2016-1000004-e0136018"
    }
]