CVE-2014-5333

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.

References

http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

http://miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/

https://exchange.xforce.ibmcloud.com/vulnerabilities/95418

Details

Source: MITRE

Published: 2014-08-19

Updated: 2017-09-08

Type: CWE-352

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air:14.0.0.110:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*

OR

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

Configuration 2

AND

OR

cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:13.0.0.223:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:* versions up to 14.0.0.137 (inclusive)

Configuration 4

AND

OR

cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:11.2.202.378:*:*:*:*:*:*:*

cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*

OR

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 5

AND

OR

cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*

cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
84207SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1064-1)NessusSuSE Local Security Checks
critical
84147SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1043-1)NessusSuSE Local Security Checks
critical
84135openSUSE Security Update : Adobe Flash Player (openSUSE-2015-412)NessusSuSE Local Security Checks
critical
8358Adobe AIR < 14.0.0.178 Multiple Vulnerabilities (APSB14-18)Nessus Network MonitorWeb Clients
critical
8357Flash Player < 14.0.0.176 Multiple Vulnerabilities (APSB14-18)Nessus Network MonitorWeb Clients
critical
77193RHEL 5 / 6 : flash-plugin (RHSA-2014:1051)NessusRed Hat Local Security Checks
critical
77174Flash Player for Mac <= 14.0.0.145 Multiple Vulnerabilities (APSB14-18)NessusMacOS X Local Security Checks
critical
77173Adobe AIR for Mac <= 14.0.0.110 Multiple Vulnerabilities (APSB14-18)NessusMacOS X Local Security Checks
critical
77172Flash Player <= 14.0.0.145 Multiple Vulnerabilities (APSB14-18)NessusWindows
critical
77171Adobe AIR <= AIR 14.0.0.110 Multiple Vulnerabilities (APSB14-18)NessusWindows
critical
8327Adobe AIR < 14.0.0.137 Multiple Vulnerabilities (APSB14-17)Nessus Network MonitorWeb Clients
critical