Vulnerability Name:

CVE-2007-3457 (CCN-35338)

Assigned:2007-07-10
Published:2007-07-10
Updated:2017-07-29
Summary:Adobe Flash Player 8.0.34.0 and earlier insufficiently validates HTTP Referer headers, which might allow remote attackers to conduct a CSRF attack via a crafted SWF file.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-352
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2007-3457

Source: CCN
Type: SA26027
Adobe Flash Player Multiple Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
26027

Source: SECUNIA
Type: Vendor Advisory
26118

Source: SECUNIA
Type: Vendor Advisory
26357

Source: SECUNIA
Type: UNKNOWN
28068

Source: CCN
Type: SECTRACK ID: 1018359
Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code or Conduct Cross-Site Request Forgery Attacks

Source: CCN
Type: Sun Alert ID: 103167
Security Vulnerabilities in Adobe Flash Player May Allow Unauthorized System Access or Generation of HTTP Requests

Source: SUNALERT
Type: UNKNOWN
103167

Source: SUNALERT
Type: UNKNOWN
201506

Source: CCN
Type: ASA-2007-530
Security Vulnerabilities in Adobe Flash Player May Allow Unauthorized System Access or Generation of HTTP Requests (Sun 103167)

Source: CCN
Type: Adobe Product Security Bulletin APSB07-12
Flash Player update available to address security vulnerabilities

Source: CONFIRM
Type: UNKNOWN
http://www.adobe.com/support/security/bulletins/apsb07-12.html

Source: CCN
Type: GLSA-200708-01
Macromedia Flash Player: Remote arbitrary code execution

Source: GENTOO
Type: UNKNOWN
GLSA-200708-01

Source: CCN
Type: US-CERT VU#138457
Adobe Flash Player fails to properly validate HTTP Referers

Source: CERT-VN
Type: US Government Resource
VU#138457

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:046

Source: OSVDB
Type: UNKNOWN
38049

Source: CCN
Type: OSVDB ID: 38049
Adobe Flash Player HTTP Referer Header CSRF

Source: SECTRACK
Type: UNKNOWN
1018359

Source: CCN
Type: TLSA-2007-36
Three vulnerabilities discovered in flash-player

Source: CERT
Type: US Government Resource
TA07-192A

Source: VUPEN
Type: UNKNOWN
ADV-2007-2497

Source: VUPEN
Type: UNKNOWN
ADV-2007-4190

Source: XF
Type: UNKNOWN
flashplayer-swf-httpreferer-csrf(35338)

Source: XF
Type: UNKNOWN
flashplayer-swf-httpreferer-csrf(35338)

Source: SUSE
Type: SUSE-SA:2007:046
flash-player security problems

Vulnerable Configuration:Configuration 1:
  • cpe:/a:adobe:flash_player:*:*:*:*:*:*:*:* (Version <= 8.0.34.0)

    • Configuration CCN 1:
  • cpe:/a:adobe:flash_player_for_linux:9.0.115.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.28:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.31:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.45.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.16:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.18d60:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.20.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.28.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.31.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.20:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player:9.0.124.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:29400
    V
    		Adobe Flash Player 8.0.34.0 and earlier insufficiently validates HTTP Referer headers (CVE-2007-3457)
    2015-12-22
    oval:org.opensuse.security:def:20073457
    V
    		CVE-2007-3457
    2015-11-16
    BACK
    adobe flash player *
    adobe flash playe for linux 9.0.115.0
    adobe flash player 9.0.28
    adobe flash player 9.0.31
    adobe flash player 9.0.45.0
    adobe flash player 9.0.16
    adobe flash player 9.0.18d60
    adobe flash player 9.0.20.0
    adobe flash player 9.0.28.0
    adobe flash player 9.0.31.0
    adobe flash player 9.0.20
    adobe flash player 9.0.124.0
    gentoo linux *
    suse linux enterprise server 8
    suse suse linux 9.0
    novell linux desktop 9
    sun solaris 10
    sun solaris 10
    turbolinux turbolinux fuji
    novell opensuse 10.2