⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2015-5119

CWE-416 — Use After Free CWE-119 — Buffer Overflow20 documents16 sources

Severity

9.8CRITICAL

EPSS

93.2%

top 0.20%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Flash Player Opensuse Evergreen Opensuse Opensuse +8 more

Timeline

PublishedJul 8

KEV addedMar 3

KEV dueMar 24

Latest updateMay 17

CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

▶NVDadobe/flash_player13.0.0.182 — 13.0.0296+2

▶Ubuntuflashplugin-nonfree< 11.2.202.481ubuntu0.14.04.1

▶NVDsuse/linux_enterprise_desktop11, 12+1

▶NVDredhat/enterprise_linux_server5.0, 6.0+1

▶NVDredhat/enterprise_linux_desktop5.0, 6.0+1

Also affects: Enterprise Linux 6.6, 5.0, 6.0

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-3792-ff84-674w: Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2022-05-17

▶

Project0

Attacking ECMAScript Engines with Redefinition - Project Zero↗2015-08-01

▶

OSV

CVE-2015-5119: Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2015-07-08

▶

CVEList

CVE-2015-5119: Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2015-07-08

▶

VulnCheck

Adobe Flash Player Use-After-Free Vulnerability↗2015

▶

💥Exploits & PoCs

Exploit-DB

Adobe Flash Player - ByteArray Use-After-Free (Metasploit)↗2015-07-08

▶

🔍Detection Rules

YARA

Flash_CVE_2015_5119_APT3↗

▶

📋Vendor Advisories

CISA

Adobe Flash Player Use-After-Free Vulnerability↗2022-03-03

▶

Red Hat

flash-plugin: code execution issue in APSA15-03 / APSB15-16↗2015-07-07

▶

🕵️Threat Intelligence

Unit42

Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip↗2018-12-27

▶

Zscaler

Adobe Flash Vulnerability CVE-2015-5119 Analysis | Zscaler↗2015-07-13

▶

Volexity

APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)↗2015-07-08

▶

Volexity

APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)↗2015-07-08

▶

Qualys

Update5 - HackingTeam 0-day for Flash | Qualys↗2015-07-07

▶

💬Community

Bugzilla

CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16↗2015-07-07

▶