Vulnerability Name:

CVE-2009-0521 (CCN-48904)

Assigned:2009-02-24
Published:2009-02-24
Updated:2017-09-29
Summary:Untrusted search path vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Linux allows local users to obtain sensitive information or gain privileges via a crafted library in a directory contained in the RPATH.
http://www.adobe.com/support/security/bulletins/apsb09-01.html

"This update prevents a potential Linux-only information disclosure issue in the Flash Player binary that could lead to privilege escalation. (CVE-2009-0521)"
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.4 Medium (REDHAT CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2009-0521

Source: MISC
Type: UNKNOWN
http://isc.sans.org/diary.html?storyid=5929

Source: CCN
Type: RHSA-2009-0332
Critical: flash-plugin security update

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0332

Source: CCN
Type: SA34012
Adobe Flash Player Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
34012

Source: SECUNIA
Type: UNKNOWN
34226

Source: GENTOO
Type: UNKNOWN
GLSA-200903-23

Source: CCN
Type: Adobe Product Security Bulletin APSB09-01
Flash Player update available to address security vulnerabilities

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Source: CCN
Type: GLSA-200903-23
Adobe Flash Player: Multiple vulnerabilities

Source: CCN
Type: BID-33889
Adobe Flash Player Unspecified Information Disclosure Vulnerability

Source: CCN
Type: TLSA-2009-12
Multiple vulnerabilities exist in flash-player

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-0513

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=487144

Source: XF
Type: UNKNOWN
flash-unspecified-information-disclosure(48904)

Source: XF
Type: UNKNOWN
flash-unspecified-information-disclosure(48904)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:6160

Source: SUSE
Type: SUSE-SA:2009:011
Adobe Flash Player security update

Vulnerable Configuration:Configuration 1:
  • cpe:/a:adobe:flash_player_for_linux:10.0.12.36:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:flash_player_for_linux:*:*:*:*:*:*:*:* (Version <= 10.0.15.3)
  • AND
  • cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:adobe:flash_player:10.0.15.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20090521
    V
    		CVE-2009-0521
    2015-11-16
    oval:org.mitre.oval:def:22243
    P
    		ELSA-2009:0332: flash-plugin security update (Critical)
    2014-05-26
    oval:com.redhat.rhsa:def:20090332
    P
    		RHSA-2009:0332: flash-plugin security update (Critical)
    2009-02-25
    BACK
    adobe flash player for linux 10.0.12.36
    adobe flash player for linux *
    linux linux *
    adobe flash player 10.0.15.3
    gentoo linux *
    suse suse linux 9.0
    novell linux desktop 9
    turbolinux turbolinux fuji
    novell opensuse 10.3
    novell opensuse 11.0