CVE-2015-5123

CRITICAL KEV

Redhat Enterprise Linux Desktop < 11.2.202.481 - Use After Free

Title source: rule

Description

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

References (16)

[Broken Link, Third Party Advisory] http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00028.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00029.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00032.html

[Mailing List, Third Party Advisory] http://marc.info/?l=bugtraq&m=144050155601375&w=2

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-1235.html

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/918568

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/75710

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1032890

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/ncas/alerts/TA15-195A

[Broken Link, Third Party Advisory] https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04796784

[Broken Link, Vendor Advisory] https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

[Broken Link, Vendor Advisory] https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

[Third Party Advisory] https://security.gentoo.org/glsa/201508-01

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5123

[Issue Tracking] https://github.com/cisagov/vulnrichment/issues/196

Scores

CVSS v3 9.8

EPSS 0.4100

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-04-13

VulnCheck KEV 2015-07-05

InTheWild.io 2015-07-05

ENISA EUVD EUVD-2015-5138

CWE

CWE-416

Status published

Products (15)

adobe/flash_player 11.0 - 11.2.202.481

adobe/flash_player 13.0 - 13.0.0.302

adobe/flash_player 18.0 - 18.0.0.203

adobe/flash_player_desktop_runtime 18.0 - 18.0.0.203

opensuse/evergreen 11.4

redhat/enterprise_linux_desktop 5.0

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 5.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_server_eus 6.6

... and 5 more

Published Jul 14, 2015

KEV Added Apr 13, 2022

Tracked Since Feb 18, 2026