Vulnerability Name:

CVE-2010-3636 (CCN-63026)

Assigned:2010-11-04
Published:2010-11-04
Updated:2019-10-09
Summary:Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris, and 10.1.95.1 on Android, does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: Sun Blog, 18 Jan 2011
Multiple Vulnerabilities in Adobe Flash Player

Source: CONFIRM
Type: Broken Link
http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash1

Source: MITRE
Type: CNA
CVE-2010-3636

Source: JVN
Type: Third Party Advisory, VDB Entry
JVN#48425028

Source: JVNDB
Type: Third Party Advisory, VDB Entry
JVNDB-2010-000054

Source: APPLE
Type: Mailing List, Third Party Advisory
APPLE-SA-2010-11-10-1

Source: SUSE
Type: Third Party Advisory
SUSE-SA:2010:055

Source: HP
Type: Mailing List, Third Party Advisory
SSRT100428

Source: CCN
Type: RHSA-2010-0829
Critical: flash-plugin security update

Source: CCN
Type: RHSA-2010-0834
Critical: flash-plugin security update

Source: CCN
Type: RHSA-2010-0867
Critical: flash-plugin security update

Source: SECUNIA
Type: Third Party Advisory
42183

Source: CCN
Type: SA42926
Oracle Solaris Adobe Flash Player Multiple Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
42926

Source: SECUNIA
Type: Third Party Advisory
43026

Source: GENTOO
Type: Third Party Advisory
GLSA-201101-09

Source: CONFIRM
Type: Third Party Advisory
http://support.apple.com/kb/HT4435

Source: CCN
Type: Adobe Product Security Bulletin APSB10-26
Security update available for Adobe Flash Player

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.adobe.com/support/security/bulletins/apsb10-26.html

Source: CCN
Type: GLSA-201101-09
Adobe Flash Player: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 69146
Adobe Flash Unspecified Cross-Domain Policy Bypass (2010-3636)

Source: REDHAT
Type: Third Party Advisory
RHSA-2010:0829

Source: REDHAT
Type: Third Party Advisory
RHSA-2010:0834

Source: REDHAT
Type: Third Party Advisory
RHSA-2010:0867

Source: BID
Type: Third Party Advisory, VDB Entry
44691

Source: CCN
Type: BID-44691
Adobe Flash Player CVE-2010-3636 Policy File Cross Domain Security Bypass Vulnerability

Source: VUPEN
Type: Third Party Advisory
ADV-2010-2903

Source: VUPEN
Type: Third Party Advisory
ADV-2010-2906

Source: VUPEN
Type: Third Party Advisory
ADV-2010-2918

Source: VUPEN
Type: Third Party Advisory
ADV-2011-0173

Source: VUPEN
Type: Third Party Advisory
ADV-2011-0192

Source: XF
Type: UNKNOWN
flash-crossdomain-securitypol-sec-bypass(63026)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:12142

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:15913

Source: SUSE
Type: SUSE-SA:2010:055
Adobe Flash Player security problems

Vulnerable Configuration:Configuration 1:
  • cpe:/a:adobe:flash_player:*:*:*:*:*:*:*:* (Version >= 9.0 and < 9.0.289.0)
  • OR cpe:/a:adobe:flash_player:*:*:*:*:*:*:*:* (Version >= 10.0 and < 10.1.102.64)
  • AND
  • cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*
  • OR cpe:/o:sun:sunos:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:adobe:flash_player:*:*:*:*:*:*:*:* (Version <= 10.1.95.1)
  • AND
  • cpe:/o:google:android:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:rhel_extras:6:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:adobe:flash_player:10.1.85.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:solaris:10:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:solaris:11_express:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20103636
    V
    		CVE-2010-3636
    2015-11-16
    oval:org.mitre.oval:def:12142
    V
    		Vulnerability in parsing of a cross-domain policy file in Adobe Flash Player version less than 9.0.289.0 and 10.x less than 10.1.102.64
    2015-08-03
    oval:org.mitre.oval:def:23533
    P
    		ELSA-2010:0867: flash-plugin security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:23206
    P
    		ELSA-2010:0829: flash-plugin security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:22102
    P
    		RHSA-2010:0867: flash-plugin security update (Critical)
    2014-02-24
    oval:org.mitre.oval:def:22325
    P
    		RHSA-2010:0829: flash-plugin security update (Critical)
    2014-02-24
    oval:org.mitre.oval:def:15913
    V
    		Vulnerability in parsing of a cross-domain policy file in Adobe Flash Player version less than 9.0.289.0 and 10.x less than 10.1.102.64
    2013-02-04
    oval:com.redhat.rhsa:def:20100867
    P
    		RHSA-2010:0867: flash-plugin security update (Critical)
    2010-11-10
    oval:com.redhat.rhsa:def:20100829
    P
    		RHSA-2010:0829: flash-plugin security update (Critical)
    2010-11-05
    BACK
    adobe flash player *
    adobe flash player *
    apple mac os x -
    linux linux -
    microsoft windows -
    sun solaris -
    adobe flash player *
    google android -
    adobe flash player 10.1.85.3
    gentoo linux *
    redhat rhel extras 4
    oracle solaris 10
    oracle solaris 11_express