Adobe Flash Player prior 9.0.114.0 on Windows ActiveX Control information disclosure
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.7 | $0-$5k | 0.00 |
A vulnerability was found in Adobe Flash Player on Windows (Multimedia Player Software). It has been declared as critical. This vulnerability affects an unknown function of the component ActiveX Control. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:
Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 on Windows allows remote attackers to obtain the names of local files via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4820.
The bug was discovered 12/08/2009. The weakness was published 12/08/2009 by Manuel Caballero (Website). The advisory is shared for download at us-cert.gov. This vulnerability was named CVE-2009-3951 since 11/16/2009. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 43068 (Flash Player < 9.0.260 / 10.0.42.34 Multiple Vulnerabilities (APSB09-19)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 116748 (Adobe Flash Player and AIR Multiple Remote Vulnerabilities (APSB09-19)).
Upgrading to version 9.0.114.0 eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (54637) and Tenable (43068). Similar entries are available at 4071, 51099, 51098 and 51097.
Product
Type
Vendor
Name
License
Support
- end of life
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 6.7
VulDB Base Score: 7.5
VulDB Temp Score: 6.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
ATT&CK: T1592
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 43068
Nessus Name: Flash Player < 9.0.260 / 10.0.42.34 Multiple Vulnerabilities (APSB09-19)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 66523
OpenVAS Name: FreeBSD Ports: linux-flashplugin
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Flash Player 9.0.114.0
McAfee IPS: 🔍
McAfee IPS Version: 🔍
Timeline
02/22/2005 🔍11/16/2009 🔍
12/03/2009 🔍
12/08/2009 🔍
12/08/2009 🔍
12/08/2009 🔍
12/09/2009 🔍
12/09/2009 🔍
12/09/2009 🔍
12/10/2009 🔍
12/14/2009 🔍
03/18/2015 🔍
07/31/2019 🔍
Sources
Vendor: adobe.comAdvisory: us-cert.gov
Researcher: Manuel Caballero
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2009-3951 (🔍)
OVAL: 🔍
X-Force: 54637
SecurityTracker: 1023307
Vulnerability Center: 24352 - [APSB09-19] Adobe Flash Player < 10.0.42.34 and AIR < 1.5.3 Remote Information Disclosure Vulnerability, Critical
SecurityFocus: 37199 - RETIRED: Adobe Flash Player APSB09-19 Multiple Remote Vulnerabilities
Secunia: 37584
OSVDB: 60891 - Adobe Flash Player ActiveX on Windows Unspecified Arbitrary File Access
Vupen: ADV-2009-3456
See also: 🔍
Entry
Created: 03/18/2015 15:15Updated: 07/31/2019 17:41
Changes: 03/18/2015 15:15 (79), 07/31/2019 17:41 (12)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.