Lucene search

K
archlinuxArch LinuxASA-201512-17
HistoryDec 28, 2015 - 12:00 a.m.

flashplugin, lib32-flashplugin: multiple issues

2015-12-2800:00:00
Arch Linux
lists.archlinux.org
45

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.288 Low

EPSS

Percentile

96.4%

  • CVE-2015-8459:

Memory corruption vulnerabilities that could lead to code execution.
Credited to Kai Kang of Tencent’s Xuanwu LAB.

  • CVE-2015-8460:

Memory corruption vulnerabilities that could lead to code execution.
Credited to Jie Zeng of Qihoo 360.

  • CVE-2015-8634, CVE-2015-8635:

Use-after-free vulnerabilities that could lead to code execution.
Credited to Ben Hawkes, Mateusz Jurczyk and Natalie Silvanovich of
Google Project Zero.

  • CVE-2015-8636:

Memory corruption vulnerabilities that could lead to code execution.
Credited to Ben Hawkes, Mateusz Jurczyk and Natalie Silvanovich of
Google Project Zero.

  • CVE-2015-8638, CVE-2015-8639:

Use-after-free vulnerabilities that could lead to code execution.
Credited to Anonymous working with HP’s Zero Day Initiative.

  • CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643,
    CVE-2015-8646:

Use-after-free vulnerabilities that could lead to code execution.
Credited to Yuki Chen of Qihoo 360 Vulcan Team.

  • CVE-2015-8644:

Type confusion vulnerability that could lead to code execution. Credited
to Natalie Silvanovich of Google Project Zero.

  • CVE-2015-8645:

Memory corruption vulnerabilities that could lead to code execution.
Credited to Jaehun Jeong (@n3sk) of WINS, WSEC Analysis Team working
with Chromium Vulnerability Reward Program.

  • CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650:

Use-after-free vulnerabilities that could lead to code execution.
Credited to Anonymous working with HP’s Zero Day Initiative.

  • CVE-2015-8651:

Integer overflow vulnerability that could lead to code execution.
Credited to Kai Wang and Hunter Gao of Huawei’s IT Infrastructure &
Security Dept, BPIT&QM.
Adobe is aware of a report that an exploit for CVE-2015-8651 is being
used in limited, targeted attacks.

OSVersionArchitecturePackageVersionFilename
anyanyanyflashplugin< 11.2.202.559-1UNKNOWN
anyanyanylib32-flashplugin< 11.2.202.559-1UNKNOWN

References

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.288 Low

EPSS

Percentile

96.4%