⚠ Actively exploited

Added to CISA KEV on 2022-05-25. Federal agencies required to patch by 2022-06-15. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2015-0310 — Sensitive Information Exposure in Adobe Flash Player

CWE-200 — Sensitive Information Exposure CWE-26414 documents10 sources

Severity

7.8HIGHNVD

EPSS

5.4%

top 9.88%

CISA KEV

KEV

Added 2022-05-25

Due 2022-06-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Flash Player

Timeline

PublishedJan 23

KEV addedMay 25

KEV dueJun 15

CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDadobe/flash_player14.0 — 16.0.0.287+2

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-3qq4-w757-rjqm: Adobe Flash Player before 13↗2022-05-17

▶

OSV

CVE-2015-0310: Adobe Flash Player before 13↗2015-01-23

▶

VulnCheck

Adobe Flash Player ASLR Bypass Vulnerability↗2015

▶

📋Vendor Advisories

CISA

Adobe Flash Player ASLR Bypass Vulnerability↗2022-05-25

▶

Red Hat

flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)↗2015-01-22

▶

🕵️Threat Intelligence

Talos

Bedep Lurking in Angler's Shadows↗2016-02-09

▶

Krebs

Flash Patch Targets Zero-Day Exploit↗2015-01-26

▶

Talos

Flash 0-day Exploited by Angler Exploit Kit↗2015-01-23

▶

Talos

Flash 0-day Exploited by Angler Exploit Kit↗2015-01-23

▶

Qualys

New 0-day vulnerability in Adobe Flash - Update 5 | Qualys↗2015-01-21

▶

💬Community

Bugzilla

CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)↗2015-01-23

▶

Bugzilla

(CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438↗2015-01-22

▶