Vulnerability Name:

CVE-2017-11292

Assigned:2017-07-13
Published:2017-10-16
Updated:2017-12-07
Summary:Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.
CVSS v3 Severity:8.8 High (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-129
References:Source: BID
Type: VENDOR_ADVISORY
101286

Source: SECTRACK
Type: VENDOR_ADVISORY
1039582

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2899

Source: XF
Type: UNKNOWN
adobe-flash-cve201711292-code-exec(133385)

Source: CONFIRM
Type: VENDOR_ADVISORY
https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Source: GENTOO
Type: VENDOR_ADVISORY
GLSA-201710-22

Vulnerable Configuration:Configuration 1:
  • cpe:/a:adobe:flash_player:27.0.0.159:*:*:*:*:*:*:*
  • AND
  • cpe:/o:apple:mac_os:*:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:adobe:flash_player:27.0.0.130::~~~edge~~:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:27.0.0.130::~~~internet_explorer_11~~:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_10:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/a:adobe:flash_player:27.0.0.159::~~~chrome~~:*:*:*:*:*
  • AND
  • cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:*
  • OR cpe:/o:google:chrome_os:*:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:201711292000
    V
    CVE-2017-11292 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-10-22
    oval:com.ubuntu.trusty:def:201711292000
    V
    CVE-2017-11292 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-10-22
    BACK
    adobe flash_player 27.0.0.159
    apple mac_os *
    linux linux_kernel *
    microsoft windows *
    adobe flash_player 27.0.0.130
    adobe flash_player 27.0.0.130
    microsoft windows_10 *
    microsoft windows_8.1 *
    adobe flash_player 27.0.0.159
    apple mac_os_x *
    google chrome_os *
    linux linux_kernel *
    microsoft windows *