Vulnerability CVE-2015-3090


Published: 2015-05-13   Modified: 2017-01-02

Description:
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093.

See advisories in our WLB2 database:
Topic
Author
Date
High
Adobe Flash Player ShaderJob Buffer Overflow
Juan vazquez
20.06.2015

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Adobe
Product: Flash player 
Version:
17.0.0.169
17.0.0.134
16.0.0.296
16.0.0.287
16.0.0.257
16.0.0.235
15.0.0.246
15.0.0.239
15.0.0.223
15.0.0.189
15.0.0.167
15.0.0.152
14.0.0.179
14.0.0.176
14.0.0.145
14.0.0.125
13.0.0.264
11.2.202.475
Product: Adobe air 
Version: 17.0.0.144;
Product: Adobe air sdk 
Version: 17.0.0.144;
Product: Air sdk & compiler 
Version: 17.0.0.144;
Product: AIR 
Version: 17.0.0.144;
Product: Air sdk 
Version: 17.0.0.144;

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00016.html
http://rhn.redhat.com/errata/RHSA-2015-1005.html
http://www.securityfocus.com/bid/74605
http://www.securitytracker.com/id/1032285
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
https://security.gentoo.org/glsa/201505-02

Related CVE
CVE-2017-2996
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in Primetime SDK. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2992
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable heap overflow vulnerability when parsing an MP4 header. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2993
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability related to event handlers. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2994
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability in Primetime SDK event dispatch. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2995
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable type confusion vulnerability related to the MessageChannel class. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2988
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability when performing garbage collection. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2990
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in the h264 decompression routine. Successful exploitation could lead to arbitrary code execution.
CVE-2017-2991
Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in the h264 codec (related to decompression). Successful exploitation could lead to arbitrary code execution.

Copyright 2017, cxsecurity.com