ID CVE-2017-3114
Summary An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of providing language- and region- or country- specific functionality. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
References
Vulnerable Configurations
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • cpe:2.3:a:adobe:flash_player:27.0.0.183
    cpe:2.3:a:adobe:flash_player:27.0.0.183
  • Apple Mac OS
    cpe:2.3:o:apple:mac_os
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
  • cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:chrome
    cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:chrome
  • Apple Mac OS
    cpe:2.3:o:apple:mac_os
  • cpe:2.3:o:google:chrome_os
    cpe:2.3:o:google:chrome_os
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
  • cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:edge
    cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:edge
  • cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:intenet_explorer_11
    cpe:2.3:a:adobe:flash_player:27.0.0.183:-:-:-:-:intenet_explorer_11
  • cpe:2.3:o:microsoft:windows_10
    cpe:2.3:o:microsoft:windows_10
  • cpe:2.3:o:microsoft:windows_8.1
    cpe:2.3:o:microsoft:windows_8.1
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3222.NASL
    description An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 27.0.0.187. Security Fix(es) : * This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213, CVE-2017-11215, CVE-2017-11225)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104622
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104622
    title RHEL 6 : flash-plugin (RHSA-2017:3222)
  • NASL family Windows
    NASL id FLASH_PLAYER_APSB17-33.NASL
    description The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 27.0.0.183. It is therefore affected by multiple remote code execution vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 104544
    published 2017-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104544
    title Adobe Flash Player <= 27.0.0.183 (APSB17-33)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_NOV_4048951.NASL
    description The remote Windows host is missing security update KB4048951. It is, therefore, affected by multiple remote code execution vulnerabilities in Adobe Flash Player.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 104547
    published 2017-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104547
    title KB4048951: Security update for Adobe Flash Player (November 2017)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_52F10525CAFF11E7B5906451062F0F7A.NASL
    description Adobe reports : - These updates resolve out-of-bounds read vulnerabilities that could lead to remote code execution (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213). - These updates resolve use after free vulnerabilities that could lead to remote code execution (CVE-2017-11215, CVE-2017-11225).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104647
    published 2017-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104647
    title FreeBSD : Flash Player -- multiple vulnerabilities (52f10525-caff-11e7-b590-6451062f0f7a)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FLASH_PLAYER_APSB17-33.NASL
    description The version of Adobe Flash Player installed on the remote macOS or Mac OSX host is equal or prior to version 27.0.0.183. It is therefore affected by multiple remote code execution vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 104545
    published 2017-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104545
    title Adobe Flash Player for Mac <= 27.0.0.183 (APSB17-33)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201711-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-201711-13 (Adobe Flash Player: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the referenced CVE identifiers and Adobe Security Bulletin for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 104694
    published 2017-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104694
    title GLSA-201711-13 : Adobe Flash Player: Multiple vulnerabilities
redhat via4
advisories
rhsa
id RHSA-2017:3222
refmap via4
bid 101837
confirm https://helpx.adobe.com/security/products/flash-player/apsb17-33.html
gentoo GLSA-201711-13
sectrack 1039778
Last major update 09-12-2017 - 01:29
Published 09-12-2017 - 01:29
Last modified 21-12-2017 - 10:29
Back to Top