⚠ Actively exploited
Added to CISA KEV on 2022-04-13. Federal agencies required to patch by 2022-05-04. Required action: The impacted product is end-of-life and should be disconnected if still in use..
CVE-2015-5123
Severity
9.8CRITICAL
EPSS
47.6%
top 2.30%
CISA KEV
KEV
Added 2022-04-13
Due 2022-05-04
Exploit
Exploited in wild
Active exploitation observed
Timeline
PublishedJul 14
KEV addedApr 13
KEV dueMay 4
Latest updateMay 13
CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Description
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages9 packages
Also affects: Enterprise Linux 6.6
🔴Vulnerability Details
5GHSA▶
GHSA-6hpg-rw47-66vr: Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2022-05-13
CVEList▶
CVE-2015-5123: Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2015-07-14
OSV▶
CVE-2015-5123: Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13↗2015-07-14
📋Vendor Advisories
2🕵️Threat Intelligence
4💬Community
1Bugzilla▶
CVE-2015-5122 CVE-2015-5123 flash-plugin: two code execution issues in APSA15-04 / APSB15-18↗2015-07-12