Vulnerability CVE-2015-0307


Published: 2015-01-13   Modified: 2017-01-02

Description:
Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via unspecified vectors.

Vendor: Adobe
Product: Flash player 
Version:
16.0.0.235
16.0.0.234
15.0.0.246
15.0.0.239
15.0.0.238
15.0.0.223
15.0.0.189
15.0.0.167
15.0.0.152
15.0.0.144
14.0.0.179
14.0.0.176
14.0.0.145
14.0.0.125
13.0.0.259
11.2.202.425
Product: Adobe air 
Version: 15.0.0.356;
Product: Adobe air sdk 
Version: 15.0.0.356;
Product: Adobe air sdk and compiler 
Version: 15.0.0.356;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
8.5/10
7.8/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
Complete

 References:
http://helpx.adobe.com/security/products/flash-player/apsb15-01.html
http://secunia.com/advisories/62177
http://secunia.com/advisories/62187
http://security.gentoo.org/glsa/glsa-201502-02.xml
http://www.securityfocus.com/bid/72037
http://www.securitytracker.com/id/1031525
http://xforce.iss.net/xforce/xfdb/99988

Related CVE
CVE-2017-3002
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3003
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to an interaction between the privacy user interface and the ActionScript 2 Camera object. Successful exploitation could lead to arbitrary cod...
CVE-2017-3000
Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerability in the random number generator used for constant blinding. Successful exploitation could lead to information disclosure.
CVE-2017-3001
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to garbage collection in the ActionScript 2 VM. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2997
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable buffer overflow / underflow vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2998
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK API functionality related to timeline interactions. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2999
Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK functionality related to hosting playback surface. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2983
Adobe Shockwave versions 12.2.7.197 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to escalation of privilege.

Copyright 2017, cxsecurity.com