ID

VAR-201305-0201


CVE

CVE-2013-3330


TITLE

Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-002697

DESCRIPTION

Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2013:0825-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html Issue date: 2013-05-15 CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325 CVE-2013-3326 CVE-2013-3327 CVE-2013-3328 CVE-2013-3329 CVE-2013-3330 CVE-2013-3331 CVE-2013-3332 CVE-2013-3333 CVE-2013-3334 CVE-2013-3335 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-14, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 962895 - flash-plugin: multiple code execution flaws (APSB13-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.285-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.285-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.285-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.285-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2728.html https://www.redhat.com/security/data/cve/CVE-2013-3324.html https://www.redhat.com/security/data/cve/CVE-2013-3325.html https://www.redhat.com/security/data/cve/CVE-2013-3326.html https://www.redhat.com/security/data/cve/CVE-2013-3327.html https://www.redhat.com/security/data/cve/CVE-2013-3328.html https://www.redhat.com/security/data/cve/CVE-2013-3329.html https://www.redhat.com/security/data/cve/CVE-2013-3330.html https://www.redhat.com/security/data/cve/CVE-2013-3331.html https://www.redhat.com/security/data/cve/CVE-2013-3332.html https://www.redhat.com/security/data/cve/CVE-2013-3333.html https://www.redhat.com/security/data/cve/CVE-2013-3334.html https://www.redhat.com/security/data/cve/CVE-2013-3335.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb13-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA pCXFdmTpNYaaRsAS+FVd7h4= =8nby -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.07

sources: NVD: CVE-2013-3330 // JVNDB: JVNDB-2013-002697 // BID: 59896 // VULHUB: VHN-63332 // PACKETSTORM: 121646

AFFECTED PRODUCTS

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6.0

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.7.700.202

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.1.111.54

Trust: 1.0

vendor:redhatmodel:enterprise linux eusscope:eqversion:5.9

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:6.4

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:12.3

Trust: 1.0

vendor:redhatmodel:enterprise linux eusscope:eqversion:6.4

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:11.4

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:10.3.183.86

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:12.2

Trust: 1.0

vendor:adobemodel:air sdkscope:ltversion:3.7.0.1860

Trust: 1.0

vendor:adobemodel:flash playerscope:gteversion:11.0

Trust: 1.0

vendor:susemodel:linux enterprise desktopscope:eqversion:10

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:6.0

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.1.115.58

Trust: 1.0

vendor:adobemodel:airscope:ltversion:3.7.0.1860

Trust: 1.0

vendor:susemodel:linux enterprise desktopscope:eqversion:11

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:5.9

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.2.202.285

Trust: 1.0

vendor:googlemodel:chromescope:ltversion:26 installed on adobe flash player 11.7.700.202 (windows

Trust: 0.8

vendor:googlemodel:chromescope:eqversion:linux

Trust: 0.8

vendor:googlemodel:chromescope:eqversion:and macintosh)

Trust: 0.8

vendor:adobemodel:airscope:ltversion:3.7.0.1860 (windows

Trust: 0.8

vendor:adobemodel:airscope:eqversion:macintosh

Trust: 0.8

vendor:adobemodel:airscope:eqversion:and android)

Trust: 0.8

vendor:adobemodel:air sdkscope:ltversion:(sdk & compiler) 3.7.0.1860

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.1.111.54 (android 2.x and 3.x)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.1.115.58 (android 4.x)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.2.202.285 (linux)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.7.700.202 (windows and macintosh)

Trust: 0.8

vendor:microsoftmodel:internet explorerscope:ltversion:10 (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windowsscope:ltversion:rt (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows 8scope:ltversion:for 32-bit systems (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows 8scope:ltversion:for 64-bit systems (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows serverscope:ltversion:2012 (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:adobemodel:air sdkscope:eqversion:3.0.0.4080

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.600

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.4.0.2540

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.880

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.890

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.1.0.488

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.3.0.3650

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.1060

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.4.0.2710

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.3.0.3690

Trust: 0.6

vendor:susemodel:linux enterprise desktop sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp4scope:eqversion:10

Trust: 0.3

vendor:susemodel:opensusescope:eqversion:11.4

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:9.0.600.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:8.0.555.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:8.0.555.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:18.0.1050.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:15.0.900.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:13.0.800.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:13.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.2

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.0

Trust: 0.3

vendor:redmodel:hat enterprise linux workstation supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux supplementary serverscope:eqversion:5

Trust: 0.3

vendor:redmodel:hat enterprise linux server supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux desktop supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux desktop supplementary clientscope:eqversion:5

Trust: 0.3

sources: BID: 59896 // JVNDB: JVNDB-2013-002697 // CNNVD: CNNVD-201305-356 // NVD: CVE-2013-3330

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-3330
value: HIGH

Trust: 1.0

NVD: CVE-2013-3330
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201305-356
value: CRITICAL

Trust: 0.6

VULHUB: VHN-63332
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-3330
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-63332
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-63332 // JVNDB: JVNDB-2013-002697 // CNNVD: CNNVD-201305-356 // NVD: CVE-2013-3330

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-63332 // JVNDB: JVNDB-2013-002697 // NVD: CVE-2013-3330

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-356

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201305-356

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-002697

PATCH

title:APSB13-14url:http://www.adobe.com/support/security/bulletins/apsb13-14.html

Trust: 0.8

title:APSB13-14 (cq05140122)url:http://helpx.adobe.com/jp/flash-player/kb/cq05140122.html

Trust: 0.8

title:Google Chromeurl:http://www.google.co.jp/chrome/intl/ja/landing_ff_yt.html?hl=ja&hl=ja

Trust: 0.8

title:Flash Player Updateurl:http://googlechromereleases.blogspot.jp/2013/05/flash-player-update.html

Trust: 0.8

title:Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 (2755801)url:http://technet.microsoft.com/en-us/security/advisory/2755801

Trust: 0.8

title:SUSE-SU-2013:0798url:http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00003.html

Trust: 0.8

title:openSUSE-SU-2013:0892url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00003.html

Trust: 0.8

title:openSUSE-SU-2013:0954url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00010.html

Trust: 0.8

title:RHSA-2013:0825url:http://rhn.redhat.com/errata/RHSA-2013-0825.html

Trust: 0.8

title:Internet Explorer 10 上の Adobe Flash Player の脆弱性用の更新プログラム (2755801)url:http://technet.microsoft.com/ja-jp/security/advisory/2755801

Trust: 0.8

title:アドビ システムズ社 Adobe Flash Player の脆弱性に関するお知らせurl:http://www.fmworld.net/biz/common/adobe/20130516f.html

Trust: 0.8

title:install_flash_player_11_linux.i386url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45965

Trust: 0.6

title:install_flash_player_osxurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45964

Trust: 0.6

title:install_flashplayer11x32ax_mssd_aihurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45963

Trust: 0.6

sources: JVNDB: JVNDB-2013-002697 // CNNVD: CNNVD-201305-356

EXTERNAL IDS

db:NVDid:CVE-2013-3330

Trust: 2.9

db:SECUNIAid:53442

Trust: 1.7

db:JVNDBid:JVNDB-2013-002697

Trust: 0.8

db:CNNVDid:CNNVD-201305-356

Trust: 0.7

db:BIDid:59896

Trust: 0.4

db:VULHUBid:VHN-63332

Trust: 0.1

db:PACKETSTORMid:121646

Trust: 0.1

sources: VULHUB: VHN-63332 // BID: 59896 // JVNDB: JVNDB-2013-002697 // PACKETSTORM: 121646 // CNNVD: CNNVD-201305-356 // NVD: CVE-2013-3330

REFERENCES

url:http://www.adobe.com/support/security/bulletins/apsb13-14.html

Trust: 1.8

url:http://rhn.redhat.com/errata/rhsa-2013-0825.html

Trust: 1.8

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a17083

Trust: 1.7

url:http://secunia.com/advisories/53442

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00003.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00003.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00010.html

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3330

Trust: 0.8

url:http://www.ipa.go.jp/security/ciadr/vul/20130515-adobeflashplayer.html

Trust: 0.8

url:https://www.jpcert.or.jp/at/2013/at130025.txt

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3330

Trust: 0.8

url:http://www.npa.go.jp/cyberpolice/topics/?seq=11478

Trust: 0.8

url:http://www.adobe.com/products/air/

Trust: 0.3

url:http://www.adobe.com/products/flash/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2013-3333

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#critical

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3329

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3324

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3325.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3335.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3331.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3334

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-2728

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3327.html

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3332

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3332.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3324.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3335

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3334.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3326

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3330.html

Trust: 0.1

url:https://access.redhat.com/knowledge/articles/11258

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3326.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3331

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3328.html

Trust: 0.1

url:https://access.redhat.com/security/team/key/#package

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3333.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3329.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3327

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3328

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3330

Trust: 0.1

url:http://bugzilla.redhat.com/):

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-2728.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3325

Trust: 0.1

sources: VULHUB: VHN-63332 // BID: 59896 // JVNDB: JVNDB-2013-002697 // PACKETSTORM: 121646 // CNNVD: CNNVD-201305-356 // NVD: CVE-2013-3330

CREDITS

Mateusz Jurczyk and Ben Hawkes of the Google Security Team

Trust: 0.3

sources: BID: 59896

SOURCES

db:VULHUBid:VHN-63332
db:BIDid:59896
db:JVNDBid:JVNDB-2013-002697
db:PACKETSTORMid:121646
db:CNNVDid:CNNVD-201305-356
db:NVDid:CVE-2013-3330

LAST UPDATE DATE

2024-08-14T12:13:45.452000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-63332date:2020-08-25T00:00:00
db:BIDid:59896date:2014-05-14T12:54:00
db:JVNDBid:JVNDB-2013-002697date:2013-12-25T00:00:00
db:CNNVDid:CNNVD-201305-356date:2020-08-26T00:00:00
db:NVDid:CVE-2013-3330date:2020-08-25T13:38:45.813

SOURCES RELEASE DATE

db:VULHUBid:VHN-63332date:2013-05-16T00:00:00
db:BIDid:59896date:2013-05-14T00:00:00
db:JVNDBid:JVNDB-2013-002697date:2013-05-17T00:00:00
db:PACKETSTORMid:121646date:2013-05-15T15:55:00
db:CNNVDid:CNNVD-201305-356date:2013-05-17T00:00:00
db:NVDid:CVE-2013-3330date:2013-05-16T11:45:31.623