CVE-2015-3113

CRITICAL KEV

Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow

Title source: metasploit

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in June 2015.

Exploits (2)

metasploit WORKING POC GREAT

by Unknown, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/37536

View Code ZIP pw:eip

References (15)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00020.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00025.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00002.html

[Mailing List] http://marc.info/?l=bugtraq&m=144050155601375&w=2

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-1184.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/75371

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1032696

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1235036

[Issue Tracking] https://bugzilla.suse.com/show_bug.cgi?id=935701

[Broken Link] https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952467

[Broken Link, Patch, Vendor Advisory] https://helpx.adobe.com/security/products/flash-player/apsb15-14.html

[Third Party Advisory] https://security.gentoo.org/glsa/201507-13

[Third Party Advisory] https://www.suse.com/security/cve/CVE-2015-3113.html

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-3113

[Issue Tracking] https://github.com/cisagov/vulnrichment/issues/196

Scores

CVSS v3 9.8

EPSS 0.9242

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2022-04-13

VulnCheck KEV 2015-06-23

InTheWild.io 2015-06-23

ENISA EUVD EUVD-2015-3194

Classification

CWE

CWE-122 CWE-787

Status draft

Affected Products (17)

adobe/flash_player < 13.0.0.296

opensuse/evergreen

opensuse/opensuse

opensuse/opensuse

suse/linux_enterprise_desktop

suse/linux_enterprise_workstation_extension

hp/insight_orchestration < 7.5.0

hp/system_management_homepage < 7.5.0

hp/systems_insight_manager < 7.5

hp/version_control_agent < 7.5.0

hp/version_control_repository_manager < 7.5.0

hp/version_control_repository_manager

hp/virtual_connect_enterprise_manager < 7.5.0

redhat/enterprise_linux_desktop

redhat/enterprise_linux_eus

... and 2 more

Timeline

Published Jun 23, 2015

KEV Added Apr 13, 2022

Tracked Since Feb 18, 2026