CWE-621
Variable Extraction Error
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
CVE-2018-6334 (GCVE-0-2018-6334)
Vulnerability from cvelistv5
Published
2018-12-31 20:00
Modified
2025-05-06 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-621 - Variable Extraction Error ()
Summary
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
References
► | URL | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T06:01:48.426Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2018-6334", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-05-06T16:40:47.018290Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-06T16:48:40.461Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "HHVM", "vendor": "Facebook", "versions": [ { "status": "affected", "version": "3.25.2" }, { "status": "affected", "version": "3.25.0" }, { "status": "affected", "version": "3.24.6" }, { "status": "affected", "version": "3.22.0" }, { "status": "affected", "version": "3.21.10" }, { "lessThan": "3.21.10", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "dateAssigned": "2018-03-26T00:00:00.000Z", "datePublic": "2018-12-31T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-621", "description": "Variable Extraction Error (CWE-621)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-31T19:57:01.000Z", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2018-03-26", "ID": "CVE-2018-6334", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "HHVM", "version": { "version_data": [ { "version_affected": "!=\u003e", "version_value": "3.25.2" }, { "version_affected": "=\u003e", "version_value": "3.25.0" }, { "version_affected": "!=\u003e", "version_value": "3.24.6" }, { "version_affected": "=\u003e", "version_value": "3.22.0" }, { "version_affected": "!=\u003e", "version_value": "3.21.10" }, { "version_affected": "\u003c", "version_value": "3.21.10" } ] } } ] }, "vendor_name": "Facebook" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Variable Extraction Error (CWE-621)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff", "refsource": "MISC", "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff" }, { "name": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html", "refsource": "MISC", "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2018-6334", "datePublished": "2018-12-31T20:00:00.000Z", "dateReserved": "2018-01-26T00:00:00.000Z", "dateUpdated": "2025-05-06T16:48:40.461Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Mitigation
Phase: Implementation
Strategy: Input Validation
Description:
- Use allowlists of variable names that can be extracted.
Mitigation
Phase: Implementation
Description:
- Consider refactoring your code to avoid extraction routines altogether.
Mitigation
Phase: Implementation
Description:
- In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
No CAPEC attack patterns related to this CWE.