CVE-2015-5123

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

References

http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00029.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00032.html

http://marc.info/?l=bugtraq&m=144050155601375&w=2

http://rhn.redhat.com/errata/RHSA-2015-1235.html

http://www.kb.cert.org/vuls/id/918568

http://www.securityfocus.com/bid/75710

http://www.securitytracker.com/id/1032890

http://www.us-cert.gov/ncas/alerts/TA15-195A

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04796784

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

https://security.gentoo.org/glsa/201508-01

Details

Source: MITRE

Published: 2015-07-14

Updated: 2019-10-09

Type: CWE-416

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
8886Google Chrome OS < 43.0.2357.132 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
8882Google Chrome < 43.0.2357.134 Multiple RCE VulnerabilitiesNessus Network MonitorWeb Clients
high
86089GLSA-201508-01 : Adobe Flash Player: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
8822Flash Player < 13.0.0.305 / 18.0.0.209 Multiple RCE (APSB15-18)Nessus Network MonitorWeb Clients
high
84876SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1258-1)NessusSuSE Local Security Checks
critical
84875SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1255-1)NessusSuSE Local Security Checks
critical
84865openSUSE Security Update : Adobe Flash Player (openSUSE-2015-496)NessusSuSE Local Security Checks
critical
84820RHEL 5 / 6 : flash-plugin (RHSA-2015:1235)NessusRed Hat Local Security Checks
critical
84809MS KB3079777: Update for Vulnerabilities in Adobe Flash Player in Internet ExplorerNessusWindows
critical
84733Google Chrome < 43.0.2357.134 RCE Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
84732Adobe Flash Player <= 18.0.0.203 Multiple RCE Vulnerabilities (APSB15-18) (Mac OS X)NessusMacOS X Local Security Checks
critical
84731Google Chrome < 43.0.2357.134 Multiple RCE VulnerabilitiesNessusWindows
critical
84730Adobe Flash Player <= 18.0.0.203 Multiple RCE Vulnerabilities (APSB15-18)NessusWindows
critical