ID CVE-2014-0497
Summary Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
References
Vulnerable Configurations
  • Adobe Flash Player 11.0
    cpe:2.3:a:adobe:flash_player:11.0
  • Adobe Flash Player 11.0.1.152
    cpe:2.3:a:adobe:flash_player:11.0.1.152
  • Adobe Flash Player 11.0.1.152 x64 (64-bit)
    cpe:2.3:a:adobe:flash_player:11.0.1.152:-:-:-:-:-:x64
  • Adobe Flash Player 11.0.1.153
    cpe:2.3:a:adobe:flash_player:11.0.1.153
  • Adobe Flash Player 11.1
    cpe:2.3:a:adobe:flash_player:11.1
  • Adobe Flash Player 11.1.102.55
    cpe:2.3:a:adobe:flash_player:11.1.102.55
  • Adobe Flash Player 11.1.102.55 (x64) 64-bit
    cpe:2.3:a:adobe:flash_player:11.1.102.55:-:-:-:-:-:x64
  • Adobe Flash Player 11.1.102.59
    cpe:2.3:a:adobe:flash_player:11.1.102.59
  • Adobe Flash Player 11.1.102.62
    cpe:2.3:a:adobe:flash_player:11.1.102.62
  • Adobe Flash Player 11.1.102.63
    cpe:2.3:a:adobe:flash_player:11.1.102.63
  • Adobe Flash Player 11.1.111.8
    cpe:2.3:a:adobe:flash_player:11.1.111.8
  • Adobe Flash Player 11.1.111.44
    cpe:2.3:a:adobe:flash_player:11.1.111.44
  • Adobe Flash Player 11.1.111.50
    cpe:2.3:a:adobe:flash_player:11.1.111.50
  • Adobe Flash Player 11.1.111.54
    cpe:2.3:a:adobe:flash_player:11.1.111.54
  • Adobe Flash Player 11.1.111.64
    cpe:2.3:a:adobe:flash_player:11.1.111.64
  • Adobe Flash Player 11.1.111.73
    cpe:2.3:a:adobe:flash_player:11.1.111.73
  • Adobe Flash Player 11.1.115.7
    cpe:2.3:a:adobe:flash_player:11.1.115.7
  • Adobe Flash Player 11.1.115.34
    cpe:2.3:a:adobe:flash_player:11.1.115.34
  • Adobe Flash Player 11.1.115.48
    cpe:2.3:a:adobe:flash_player:11.1.115.48
  • Adobe Flash Player 11.1.115.54
    cpe:2.3:a:adobe:flash_player:11.1.115.54
  • Adobe Flash Player 11.1.115.58
    cpe:2.3:a:adobe:flash_player:11.1.115.58
  • Adobe Flash Player 11.1.115.59
    cpe:2.3:a:adobe:flash_player:11.1.115.59
  • Adobe Flash Player 11.1.115.63
    cpe:2.3:a:adobe:flash_player:11.1.115.63
  • Adobe Flash Player 11.1.115.69
    cpe:2.3:a:adobe:flash_player:11.1.115.69
  • Adobe Flash Player 11.1.115.81
    cpe:2.3:a:adobe:flash_player:11.1.115.81
  • Adobe Flash Player 11.2.202.223
    cpe:2.3:a:adobe:flash_player:11.2.202.223
  • Adobe Flash Player 11.2.202.228
    cpe:2.3:a:adobe:flash_player:11.2.202.228
  • Adobe Flash Player 11.2.202.233
    cpe:2.3:a:adobe:flash_player:11.2.202.233
  • Adobe Flash Player 11.2.202.235
    cpe:2.3:a:adobe:flash_player:11.2.202.235
  • Adobe Flash Player 11.2.202.236
    cpe:2.3:a:adobe:flash_player:11.2.202.236
  • Adobe Flash Player 11.2.202.238
    cpe:2.3:a:adobe:flash_player:11.2.202.238
  • Adobe Flash Player 11.2.202.243
    cpe:2.3:a:adobe:flash_player:11.2.202.243
  • Adobe Flash Player 11.2.202.251
    cpe:2.3:a:adobe:flash_player:11.2.202.251
  • Adobe Flash Player 11.2.202.258
    cpe:2.3:a:adobe:flash_player:11.2.202.258
  • Adobe Flash Player 11.2.202.261
    cpe:2.3:a:adobe:flash_player:11.2.202.261
  • Adobe Flash Player 11.2.202.262
    cpe:2.3:a:adobe:flash_player:11.2.202.262
  • Adobe Flash Player 11.2.202.270
    cpe:2.3:a:adobe:flash_player:11.2.202.270
  • Adobe Flash Player 11.2.202.273
    cpe:2.3:a:adobe:flash_player:11.2.202.273
  • Adobe Flash Player 11.2.202.275
    cpe:2.3:a:adobe:flash_player:11.2.202.275
  • Adobe Flash Player 11.2.202.280
    cpe:2.3:a:adobe:flash_player:11.2.202.280
  • Adobe Flash Player 11.2.202.285
    cpe:2.3:a:adobe:flash_player:11.2.202.285
  • Adobe Flash Player 11.2.202.291
    cpe:2.3:a:adobe:flash_player:11.2.202.291
  • Adobe Flash Player 11.2.202.297
    cpe:2.3:a:adobe:flash_player:11.2.202.297
  • Adobe Flash Player 11.2.202.310
    cpe:2.3:a:adobe:flash_player:11.2.202.310
  • Adobe Flash Player 11.2.202.327
    cpe:2.3:a:adobe:flash_player:11.2.202.327
  • Adobe Flash Player 11.2.202.332
    cpe:2.3:a:adobe:flash_player:11.2.202.332
  • Adobe Flash Player 11.2.202.335
    cpe:2.3:a:adobe:flash_player:11.2.202.335
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
  • Adobe Flash Player 11.8.800.94
    cpe:2.3:a:adobe:flash_player:11.8.800.94
  • Adobe Flash Player 11.8.800.97
    cpe:2.3:a:adobe:flash_player:11.8.800.97
  • Adobe Flash Player 11.8.800.168
    cpe:2.3:a:adobe:flash_player:11.8.800.168
  • Adobe Flash Player 11.9.900.117
    cpe:2.3:a:adobe:flash_player:11.9.900.117
  • Adobe Flash Player 11.9.900.152
    cpe:2.3:a:adobe:flash_player:11.9.900.152
  • Adobe Flash Player 11.9.900.170
    cpe:2.3:a:adobe:flash_player:11.9.900.170
  • Adobe Flash Player 12.0.0.38
    cpe:2.3:a:adobe:flash_player:12.0.0.38
  • Adobe Flash Player 12.0.0.41
    cpe:2.3:a:adobe:flash_player:12.0.0.41
  • Adobe Flash Player 12.0.0.43
    cpe:2.3:a:adobe:flash_player:12.0.0.43
  • Apple Mac OS X
    cpe:2.3:o:apple:mac_os_x
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
CVSS
Base: 10.0 (as of 05-02-2014 - 12:11)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Adobe Flash Player Integer Underflow Remote Code Execution. CVE-2014-0497. Remote exploit for windows platform
file exploits/windows/remote/33212.rb
id EDB-ID:33212
last seen 2016-02-03
modified 2014-05-06
platform windows
port
published 2014-05-06
reporter metasploit
source https://www.exploit-db.com/download/33212/
title Adobe Flash Player Integer Underflow Remote Code Execution
type remote
metasploit via4
description This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.
id MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_AVM2
last seen 2019-03-07
modified 2017-07-24
published 2014-05-04
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_flash_avm2.rb
title Adobe Flash Player Integer Underflow Remote Code Execution
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B7A7576D8E0A11E399769C4E36909CC0.NASL
    description Adobe reports : These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 72313
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72313
    title FreeBSD : linux-flashplugin -- multiple vulnerabilities (b7a7576d-8e0a-11e3-9976-9c4e36909cc0)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FLASH-PLAYER-140206.NASL
    description This update resolves an integer underflow vulnerability that could have been exploited to execute arbitrary code on the affected system. (CVE-2014-0497) More information: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
    last seen 2019-02-21
    modified 2014-05-06
    plugin id 72455
    published 2014-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72455
    title SuSE 11.2 / 11.3 Security Update : flash-player (SAT Patch Numbers 8876 / 8880)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-109.NASL
    description Flash Player received an out of band critical security update to fix an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497). More information can be found on: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 75246
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75246
    title openSUSE Security Update : flash-player (openSUSE-SU-2014:0197-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FLASH_PLAYER_12_0_0_44.NASL
    description According to its version, the instance of Flash Player installed on the remote Mac OS X host is equal or prior to 11.7.700.260 / 11.8.x / 11.9.x / 12.0.0.43. It is, therefore, potentially affected by an unspecified vulnerability that could lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 72285
    published 2014-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72285
    title Flash Player for Mac <= 11.7.700.260 / 12.0.0.43 Unspecified Remote Code Execution (APSB14-04)
  • NASL family Windows
    NASL id SMB_KB2929825.NASL
    description The remote host is missing KB2929825. It is, therefore, affected by an unspecified vulnerability that could lead to arbitrary code execution related to the installed version of the Adobe Flash ActiveX control.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 72286
    published 2014-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72286
    title MS KB2929825: Update for Vulnerability in Adobe Flash Player in Internet Explorer
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0137.NASL
    description An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed in the Adobe Security bulletin APSB14-04, listed in the References section. Specially crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2014-0497) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.336.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 72363
    published 2014-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72363
    title RHEL 5 / 6 : flash-plugin (RHSA-2014:0137)
  • NASL family Windows
    NASL id FLASH_PLAYER_APSB14-04.NASL
    description According to its version, the instance of Flash Player installed on the remote Windows host is equal or prior to 11.7.700.260 / 11.8.x / 11.9.x / 12.0.0.43. It is, therefore, potentially affected by an unspecified vulnerability that could lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 72284
    published 2014-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72284
    title Flash Player <= 11.7.700.260 / 12.0.0.43 Unspecified Remote Code Execution (APSB14-04)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201402-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201402-06 (Adobe Flash Player: Multiple vulnerabilities) Multiple unspecified vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted SWF file using Adobe Flash Player, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 72383
    published 2014-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72383
    title GLSA-201402-06 : Adobe Flash Player: Multiple vulnerabilities
packetstorm via4
data source https://packetstormsecurity.com/files/download/126489/adobe_flash_avm2.rb.txt
id PACKETSTORM:126489
last seen 2016-12-05
published 2014-05-05
reporter juan vazquez
source https://packetstormsecurity.com/files/126489/Adobe-Flash-Player-Integer-Underflow-Remote-Code-Execution.html
title Adobe Flash Player Integer Underflow Remote Code Execution
redhat via4
advisories
rhsa
id RHSA-2014:0137
refmap via4
bid 65327
confirm
exploit-db 33212
osvdb 102849
sectrack 1029715
secunia
  • 56437
  • 56737
  • 56780
  • 56799
  • 56839
suse
  • SUSE-SU-2014:0221
  • openSUSE-SU-2014:0197
  • openSUSE-SU-2014:0203
xf adobe-flash-cve20140497-code-exec(90884)
the hacker news via4
Last major update 06-01-2017 - 21:59
Published 05-02-2014 - 00:15
Last modified 13-12-2018 - 10:52
Back to Top