⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2011-0611 — Type Confusion in Adobe Acrobat

CWE-843 — Type Confusion CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents9 sources

Severity

8.8HIGHNVD

EPSS

93.7%

top 0.15%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Acrobat Adobe Acrobat Reader Adobe AIR +4 more

Timeline

PublishedApr 13

KEV addedMar 3

KEV dueMar 24

Latest updateMay 14

CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application cra…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

▶NVDadobe/flash_player< 10.2.154.27+1

▶NVDadobe/acrobat_reader9.0 — 9.4.4+2

▶NVDadobe/acrobat9.0 — 9.4+1

▶NVDadobe/adobe_air< 2.6.19140

▶NVDsuse/linux_enterprise_desktop10, 11+1

Patches

Patch: lists.opensuse.org ↗Patch: lists.opensuse.org ↗

🔴Vulnerability Details

GHSA

GHSA-xhq8-8cqj-q337: Adobe Flash Player before 10↗2022-05-14

▶

CVEList

CVE-2011-0611: Adobe Flash Player before 10↗2011-04-13

▶

VulnCheck

Adobe Flash Player Remote Code Execution Vulnerability↗2011

▶

💥Exploits & PoCs

Exploit-DB

Adobe Reader X 10.0.0 < 10.0.1 - Atom Type Confusion↗2011-07-03

▶

Exploit-DB

Adobe Flash Player 10.2.153.1 - SWF Memory Corruption (Metasploit)↗2011-04-16

▶

📋Vendor Advisories

CISA

Adobe Flash Player Remote Code Execution Vulnerability↗2022-03-03

▶

Red Hat

flash-plugin: crash and potential arbitrary code execution (APSB11-07)↗2011-04-11

▶

🕵️Threat Intelligence

Schneier

Research on Patch Deployment - Schneier on Security↗2015-05-01

▶

💬Community

Bugzilla

CVE-2011-0611 flash-plugin: crash and potential arbitrary code execution (APSB11-07)↗2011-04-11

▶