| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Adobe Flash Player 11.2.202.235. It has been rated as critical. This impacts an unknown function. This manipulation causes untrusted search path. The identification of this vulnerability is CVE-2012-2040. Furthermore, there is an exploit available. Upgrading the affected component is advised.
Details
A vulnerability classified as critical was found in Adobe Flash Player 11.2.202.235 (Multimedia Player Software). Affected by this vulnerability is an unknown function. The manipulation with an unknown input leads to a untrusted search path vulnerability. The CWE definition for the vulnerability is CWE-426. The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Untrusted search path vulnerability in the installer in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows local users to gain privileges via a Trojan horse executable file in an unspecified directory.
The weakness was shared 06/08/2012 by Mitsuaki Shiraishi (team509) with Microsoft Vulnerability Research as APSB12-14 as confirmed bulletin (Website). The advisory is shared at adobe.com. The vendor cooperated in the coordination of the public release. This vulnerability is known as CVE-2012-2040 since 04/02/2012. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are unknown but a private exploit is available. MITRE ATT&CK project uses the attack technique T1574 for this issue.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 59426 (Flash Player <= 10.3.183.19 / 11.3.300.256 Multiple Vulnerabilities (APSB12-14)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 120272 (Adobe Flash Player and AIR Multiple Vulnerabilities (APSB12-14)).
Upgrading to version 11.3.300.257 (Windows) , 11.2.202.236 (Linux) , 11.1.115.9 (Android 4.x) or 11.1.111.10 (Android 3.x) eliminates this vulnerability. The upgrade is hosted for download at adobe.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (59426), SecurityFocus (BID 53887†), OSVDB (82725†), Secunia (SA49388†) and SecurityTracker (ID 1027139†). The entries VDB-5504, VDB-5505, VDB-5506 and VDB-5507 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
Support
Website
- Vendor: https://www.adobe.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.0
VulDB Base Score: 10.0
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Untrusted search pathCWE: CWE-426
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Access: Private
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 59426
Nessus Name: Flash Player <= 10.3.183.19 / 11.3.300.256 Multiple Vulnerabilities (APSB12-14)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 71540
OpenVAS Name: FreeBSD Ports: linux-f10-flashplugin
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Flash Player 11.3.300.257 (Windows) / 11.2.202.236 (Linux) / 11.1.115.9 (Android 4.x) / 11.1.111.10 (Android 3.x)
McAfee IPS: 🔍
McAfee IPS Version: 🔍
Timeline
04/02/2012 🔍06/08/2012 🔍
06/08/2012 🔍
06/08/2012 🔍
06/08/2012 🔍
06/08/2012 🔍
06/09/2012 🔍
06/10/2012 🔍
06/10/2012 🔍
06/11/2012 🔍
06/12/2012 🔍
03/25/2021 🔍
Sources
Vendor: adobe.comAdvisory: APSB12-14
Researcher: Mitsuaki Shiraishi (team509)
Organization: Microsoft Vulnerability Research
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2012-2040 (🔍)
GCVE (CVE): GCVE-0-2012-2040
GCVE (VulDB): GCVE-100-5509
OVAL: 🔍
SecurityFocus: 53887 - Adobe Flash Player APSB12-14 Multiple Security Vulnerabilities
Secunia: 49388 - Adobe Flash Player Multiple Vulnerabilities, Highly Critical
OSVDB: 82725
SecurityTracker: 1027139 - Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code and Obtain Information
Vulnerability Center: 35287 - [APSB12-14] Adobe Flash Player and Adobe AIR Local Privileges Escalation Vulnerability via a Trojan Horse, High
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 06/12/2012 17:43Updated: 03/25/2021 10:55
Changes: 06/12/2012 17:43 (81), 04/13/2017 17:10 (15), 03/25/2021 10:55 (3)
Complete: 🔍
Cache ID: 216:73B:103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.