CWE-621

Variable Extraction Error

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

CVE-2018-6334 (GCVE-0-2018-6334)
Vulnerability from cvelistv5
Published
2018-12-31 20:00
Modified
2025-05-06 16:48
Severity ?
CWE
  • CWE-621 - Variable Extraction Error ()
Summary
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
Impacted products
Vendor Product Version
Facebook HHVM Version: 3.25.2
Version: 3.25.0
Version: 3.24.6
Version: 3.22.0
Version: 3.21.10
Version: unspecified   < 3.21.10
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:48.426Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-6334",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T16:40:47.018290Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T16:48:40.461Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "HHVM",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "3.25.2"
            },
            {
              "status": "affected",
              "version": "3.25.0"
            },
            {
              "status": "affected",
              "version": "3.24.6"
            },
            {
              "status": "affected",
              "version": "3.22.0"
            },
            {
              "status": "affected",
              "version": "3.21.10"
            },
            {
              "lessThan": "3.21.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2018-03-26T00:00:00.000Z",
      "datePublic": "2018-12-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-621",
              "description": "Variable Extraction Error (CWE-621)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-31T19:57:01.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2018-03-26",
          "ID": "CVE-2018-6334",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "HHVM",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.25.2"
                          },
                          {
                            "version_affected": "=\u003e",
                            "version_value": "3.25.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.24.6"
                          },
                          {
                            "version_affected": "=\u003e",
                            "version_value": "3.22.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.21.10"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.21.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Variable Extraction Error (CWE-621)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff",
              "refsource": "MISC",
              "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
            },
            {
              "name": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html",
              "refsource": "MISC",
              "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2018-6334",
    "datePublished": "2018-12-31T20:00:00.000Z",
    "dateReserved": "2018-01-26T00:00:00.000Z",
    "dateUpdated": "2025-05-06T16:48:40.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation

Phase: Implementation

Strategy: Input Validation

Description:

  • Use allowlists of variable names that can be extracted.
Mitigation

Phase: Implementation

Description:

  • Consider refactoring your code to avoid extraction routines altogether.
Mitigation

Phase: Implementation

Description:

  • In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page