CVE-2014-0502

Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
adobeCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
adobeflash_player
𝑥
< 11.7.700.269
adobeflash_player
11.8.800.94 ≤
𝑥
< 12.0.0.70
adobeadobe_air_sdk
𝑥
< 4.0.0.1628
adobeflash_player
𝑥
< 11.2.202.341
adobeadobe_air
𝑥
< 4.0.0.1628
opensuseopensuse
11.4
opensuseopensuse
12.3
opensuseopensuse
13.1
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_eus
6.5
redhatenterprise_linux_server
5.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server_aus
6.5
redhatenterprise_linux_workstation
5.0
redhatenterprise_linux_workstation
6.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
adobe-flashplugin
saucy
Fixed 11.2.202.341-0saucy1
released
quantal
Fixed 11.2.202.341-0quantal1
released
precise
Fixed 11.2.202.341-0precise1
released
lucid
ignored
flashplugin-nonfree
saucy
Fixed 11.2.202.341ubuntu0.13.10.1
released
quantal
Fixed 11.2.202.341ubuntu0.12.10.1
released
precise
Fixed 11.2.202.341ubuntu0.12.04.1
released
lucid
ignored
Common Weakness Enumeration
References
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html
http://rhn.redhat.com/errata/RHSA-2014-0196.html
http://security.gentoo.org/glsa/glsa-201405-04.xml
http://www.alienvault.com/open-threat-exchange/blog/analysis-of-an-attack-exploiting-the-adobe-zero-day-cve-2014-0502/
https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html
http://rhn.redhat.com/errata/RHSA-2014-0196.html
http://security.gentoo.org/glsa/glsa-201405-04.xml
http://www.alienvault.com/open-threat-exchange/blog/analysis-of-an-attack-exploiting-the-adobe-zero-day-cve-2014-0502/
https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html