⚠ Actively exploited
Added to CISA KEV on 2022-04-13. Federal agencies required to patch by 2022-05-04. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2015-3113

CWE-787Out-of-bounds WriteCWE-122Heap-based Buffer OverflowCWE-119Buffer Overflow17 documents13 sources
Severity
9.8CRITICAL
EPSS
92.4%
top 0.27%
CISA KEV
KEV
Added 2022-04-13
Due 2022-05-04
Exploit
Exploited in wild
Active exploitation observed
Affected products
15
Adobe Flash PlayerHP Insight OrchestrationHP System Management Homepage+12 more
Timeline
PublishedJun 23
KEV addedApr 13
KEV dueMay 4
Latest updateMay 17
CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in June 2015.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages15 packages

NVDadobe/flash_player14.0.0.12518.0.0.194+2
Ubuntuflashplugin-nonfree< 11.2.202.468ubuntu0.14.04.1

Also affects: Enterprise Linux 6.6

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

4
GHSA
GHSA-fcrm-7q5r-w4rw: Heap-based buffer overflow in Adobe Flash Player before 132022-05-17
CVEList
CVE-2015-3113: Heap-based buffer overflow in Adobe Flash Player before 132015-06-23
OSV
CVE-2015-3113: Heap-based buffer overflow in Adobe Flash Player before 132015-06-23
VulnCheck
Adobe Flash Player Heap-Based Buffer Overflow Vulnerability2015

💥Exploits & PoCs

2
Exploit-DB
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)2015-07-08
Metasploit
Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow

📋Vendor Advisories

2
CISA
Adobe Flash Player Heap-Based Buffer Overflow Vulnerability2022-04-13
Red Hat
flash-plugin: code execution issue fixed in APSB15-142015-06-23

🕵️Threat Intelligence

6
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload2015-07-27
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload2015-07-27
Krebs
Emergency Patch for Adobe Flash Zero-Day2015-06-23
Qualys
Update - New 0-day for Adobe Flash | Qualys2015-06-23
Qualys
Update - New 0-day for Adobe Flash | Qualys2015-06-23

💬Community

2
Bugzilla
(CVE-2015-3113) Blocklist vulnerable versions of Flash Player plugin (18.0.0.194 and lower)2015-06-24
Bugzilla
CVE-2015-3113 flash-plugin: code execution issue fixed in APSB15-142015-06-23
CVE-2015-3113 (CRITICAL CVSS 9.8) | Heap-based buffer overflow in Adobe | cvebase.io