Vulnerability CVE-2010-2873


Published: 2010-08-26   Modified: 2012-02-13

Description:
Adobe Shockwave Player before 11.5.8.612 does not properly validate offset values in the rcsL RIFF chunks of (1) .DIR and (2) .DCR Director movies, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.

See advisories in our WLB2 database:
Topic
Author
Date
High
Adobe Shockwave Director rcsL Chunk Remote Code Execution Vulnerdability
ZDI
30.08.2010

Type:

CWE-20

(Improper Input Validation)

Vendor: Adobe
Product: Shockwave player 
Version:
9.0.432
9.0.383
9
8.5.325
8.5.324
8.5.323
8.5.321
8.5.1.106
8.5.1.105
8.5.1.103
8.5.1.100
8.5.1
8.0.205
8.0.204
8.0.196a
8.0.196
8.0
6.0
5.0
4.0
3.0
2.0
11.5.7.609
11.5.6.606
11.5.2.602
11.5.1.601
11.5.0.596
11.5.0.595
11.0.3.471
11.0.0.456
10.2.0.023
10.2.0.022
10.2.0.021
10.1.4.020
10.1.1.016
10.1.0.11
10.1.0.011
10.0.1.004
10.0.0.210
1.0

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
http://www.securityfocus.com/archive/1/513307/100/0/threaded
http://www.securityfocus.com/bid/42682
http://www.securitytracker.com/id?1024361
http://www.vupen.com/english/advisories/2010/2176
http://www.zerodayinitiative.com/advisories/ZDI-10-162
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12042

Related CVE
CVE-2019-7845
Adobe Flash Player versions 32.0.0.192 and earlier, 32.0.0.192 and earlier, and 32.0.0.192 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7840
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7839
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7838
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a file extension blacklist bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7129
Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-7816
ColdFusion versions Update 2 and earlier, Update 9 and earlier, and Update 17 and earlier have a file upload restriction bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7815
Adobe Acrobat and Reader versions 2019.010.20091 and earlier, 2019.010.20091 and earlier, 2017.011.30120 and earlier version, and 2015.006.30475 and earlier have a data leakage (sensitive) vulnerability. Successful exploitation could lead to informat...
CVE-2019-7095
Adobe Digital Editions versions 4.5.10.185749 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.

Copyright 2019, cxsecurity.com

 

Back to Top