Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary | |
---|---|
Title | Sun Alert 248586 Multiple Security Vulnerabilities in the Flash Player Plugin for Solaris |
Informations | |||
---|---|---|---|
Name | SUN-248586 | First vendor Publication | 2009-01-06 |
Vendor | Sun | Last vendor Modification | 2009-01-12 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Original Source
Url : http://blogs.sun.com/security/entry/sun_alert_248586_multiple_security |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
31 % | CWE-264 | Permissions, Privileges, and Access Controls |
23 % | CWE-20 | Improper Input Validation |
15 % | CWE-399 | Resource Management Errors |
15 % | CWE-200 | Information Exposure |
15 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10987 | |||
Oval ID: | oval:org.mitre.oval:def:10987 | ||
Title: | PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. | ||
Description: | PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1349 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11069 | |||
Oval ID: | oval:org.mitre.oval:def:11069 | ||
Title: | Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. | ||
Description: | Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-6243 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:11874 | |||
Oval ID: | oval:org.mitre.oval:def:11874 | ||
Title: | ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other versions and other 9.0.124.0 and earlier versions, allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then uses timing discrepancies from the SecurityErrorEvent error to determine whether a port is open or not. NOTE: 9.0.115.0 introduces support for a workaround, but does not fix the vulnerability. | ||
Description: | ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other versions and other 9.0.124.0 and earlier versions, allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then uses timing discrepancies from the SecurityErrorEvent error to determine whether a port is open or not. NOTE: 9.0.115.0 introduces support for a workaround, but does not fix the vulnerability. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4324 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21702 | |||
Oval ID: | oval:org.mitre.oval:def:21702 | ||
Title: | ELSA-2007:0395: mod_perl security update (Low) | ||
Description: | PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0395-02 CVE-2007-1349 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | mod_perl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22730 | |||
Oval ID: | oval:org.mitre.oval:def:22730 | ||
Title: | ELSA-2008:0945: flash-plugin security update (Critical) | ||
Description: | The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does not validate character elements during retrieval from the dictionary data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF file. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:0945-02 CVE-2007-4324 CVE-2007-6243 CVE-2008-3873 CVE-2008-4401 CVE-2008-4503 CVE-2008-4818 CVE-2008-4819 CVE-2008-4821 CVE-2008-4822 CVE-2008-4823 CVE-2008-4824 CVE-2008-5361 CVE-2008-5362 CVE-2008-5363 | Version: | 61 |
Platform(s): | Oracle Linux 5 | Product(s): | flash-plugin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24854 | |||
Oval ID: | oval:org.mitre.oval:def:24854 | ||
Title: | ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other versions and other 9.0.124.0 and earlier versions, allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then uses timing discrepancies from the SecurityErrorEvent error to determine whether a port is open or not | ||
Description: | ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other versions and other 9.0.124.0 and earlier versions, allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then uses timing discrepancies from the SecurityErrorEvent error to determine whether a port is open or not. NOTE: 9.0.115.0 introduces support for a workaround, but does not fix the vulnerability. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2007-4324 | Version: | 10 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 | Product(s): | Adobe Flash Player |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24909 | |||
Oval ID: | oval:org.mitre.oval:def:24909 | ||
Title: | Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. | ||
Description: | Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2007-6243 | Version: | 7 |
Platform(s): | Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 | Product(s): | Adobe Flash Player |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8349 | |||
Oval ID: | oval:org.mitre.oval:def:8349 | ||
Title: | Security Vulnerabilities in the Apache 2 "mod_perl2" Module Components "PerlRun.pm" May Lead to Denial of Service (DoS) or Unauthorized Access to Data | ||
Description: | PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1349 | Version: | 2 |
Platform(s): | Sun Solaris 10 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X 10.5.3 Update / Mac OS X Security Update 2008-003 File : nvt/macosx_upd_10_5_3_secupd_2008-003.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-10 | Name : SLES9: Security update for mod_perl File : nvt/sles9p5019089.nasl |
2009-04-24 | Name : Mod_Perl Path_Info Remote Denial Of Service Vulnerability File : nvt/modperl_cve_2007_1349.nasl |
2009-04-09 | Name : Mandriva Update for apache-mod_perl MDKSA-2007:083 (apache-mod_perl) File : nvt/gb_mandriva_MDKSA_2007_083.nasl |
2009-03-23 | Name : Ubuntu Update for libapache2-mod-perl2 vulnerability USN-488-1 File : nvt/gb_ubuntu_USN_488_1.nasl |
2009-03-13 | Name : Gentoo Security Advisory GLSA 200903-23 (netscape-flash) File : nvt/glsa_200903_23.nasl |
2009-02-27 | Name : Fedora Update for mod_perl FEDORA-2007-0316 File : nvt/gb_fedora_2007_0316_mod_perl_fc7.nasl |
2009-02-27 | Name : Fedora Update for mod_perl FEDORA-2007-576 File : nvt/gb_fedora_2007_576_mod_perl_fc5.nasl |
2009-02-27 | Name : Fedora Update for mod_perl FEDORA-2007-577 File : nvt/gb_fedora_2007_577_mod_perl_fc6.nasl |
2009-01-28 | Name : SuSE Update for flash-player SUSE-SA:2007:069 File : nvt/gb_suse_2007_069.nasl |
2009-01-23 | Name : SuSE Update for flash-player SUSE-SA:2008:022 File : nvt/gb_suse_2008_022.nasl |
2008-11-12 | Name : Adobe Flash Player Multiple Vulnerabilities - Nov08 (Linux) File : nvt/gb_adobe_flash_player_mult_vuln_nov08_lin.nasl |
2008-11-12 | Name : Adobe Flash Player Multiple Vulnerabilities - Nov08 (Win) File : nvt/gb_adobe_flash_player_mult_vuln_nov08_win.nasl |
2008-11-01 | Name : FreeBSD Ports: linux-flashplugin File : nvt/freebsd_linux-flashplugin4.nasl |
2008-10-16 | Name : Adobe Flash Player Multiple Security Bypass Vulnerabilities (Win) File : nvt/gb_adobe_flash_player_sec_bypass_vuln_win.nasl |
2008-10-16 | Name : Adobe Flash Player Multiple Security Bypass Vulnerabilities (Linux) File : nvt/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200705-04 (mod_perl) File : nvt/glsa_200705_04.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200801-07 (netscape-flash) File : nvt/glsa_200801_07.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200804-21 (netscape-flash) File : nvt/glsa_200804_21.nasl |
2008-09-04 | Name : FreeBSD Ports: linux-flashplugin File : nvt/freebsd_linux-flashplugin2.nasl |
2008-09-04 | Name : FreeBSD Ports: mod_perl File : nvt/freebsd_mod_perl.nasl |
2008-09-03 | Name : Adobe Flash Player 9.0.115.0 and earlier vulnerability (Lin) File : nvt/flash_player_CB-A08-0059.nasl |
2008-09-03 | Name : Adobe Flash Player 9.0.115.0 and earlier vulnerability (Win) File : nvt/smbcl_flash_player_CB-A08-0059.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
53097 | Adobe Multiple Product ActionScript 2 VM Dictionary Data Structure Character ... |
52917 | Adobe Flash Player ActionScript 2 VM DefineConstantPool Action Crafted PDF Fi... |
51567 | Adobe Flash Cross-domain Policy Canonicalization Weakness |
51491 | Adobe Flash Player ActionScript 2 VM Crafted PDF File Handling Multiple Actio... |
50127 | Adobe Flash Player Actionscript FileReference download API FileReference.down... |
50126 | Adobe Flash Player Actionscript FileReference upload API FileReference.browse... |
49958 | Adobe Flash Player Multiple Unspecified Arbitrary Remote Code Execution |
49790 | Adobe Flash Player ActionScript Attribute Interpretation Unspecified XSS |
49785 | Adobe Flash Player Policy File Interpretation Remote Non-root Domain Policy B... |
49783 | Adobe Flash Player on Mozilla jar: URL Unspecified Information Disclosure |
49781 | Adobe Flash Player on Windows ActiveX Unspecified Information Disclosure |
49780 | Adobe Flash Player Unspecified Remote DNS Rebinding Weakness |
49753 | Adobe Flash Player HTTP Response Header XSS |
48944 | Adobe Flash Player Access Control Dialog Remote Security Bypass (ClickJacking) |
48049 | Adobe Flash Player System.setClipboard Method Remote Clipboard Hijack |
41487 | Adobe Flash Player Cross-domain Policy Unspecified Weakness |
41475 | Adobe Flash Player ActionScript 3 (AS3) Crafted SWF Arbitrary Host Portscan |
34541 | mod_perl for Apache HTTP Server RegistryCooker.pm PATH_INFO Crafted URI Remot... The mod_perl module for Apache HTTP Server contains a flaw that may allow a remote attacker to cause a denial of service. The issue is due to the RegistryCooker.pm script not properly escaping the PATH_INFO variable before use in a regular expression. With specially crafted requests, an attacker can exhaust resources and cause the server to stop responding. |
34540 | mod_perl for Apache HTTP Server PerlRun.pm PATH_INFO Crafted URI Remote DoS The mod_perl module for Apache HTTP Server contains a flaw that may allow a remote attacker to cause a denial of service. The issue is due to the PerlRun.pm script not properly escaping the PATH_INFO variable before use in a regular expression. With specially crafted requests, an attacker can exhaust resources and cause the server to stop responding. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0395.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0980.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0945.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0627.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0523.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0263.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070614_mod_perl_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0630.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0524.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0261.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_11496.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0221.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-1126.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_flash-player-081107.nasl - Type : ACT_GATHER_INFO |
2009-03-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200903-23.nasl - Type : ACT_GATHER_INFO |
2008-12-16 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2008-008.nasl - Type : ACT_GATHER_INFO |
2008-12-16 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_6.nasl - Type : ACT_GATHER_INFO |
2008-11-18 | Name : The remote Windows host contains a runtime environment that is affected by mu... File : adobe_air_apsb08-23.nasl - Type : ACT_GATHER_INFO |
2008-11-12 | Name : The remote openSUSE host is missing a security update. File : suse_flash-player-5747.nasl - Type : ACT_GATHER_INFO |
2008-11-12 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_flash-player-5757.nasl - Type : ACT_GATHER_INFO |
2008-11-11 | Name : The remote Windows host contains a browser plugin that is affected by multipl... File : flash_player_apsb08-20.nasl - Type : ACT_GATHER_INFO |
2008-10-20 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_78f456fd9c8711dda55e00163e000016.nasl - Type : ACT_GATHER_INFO |
2008-04-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200804-21.nasl - Type : ACT_GATHER_INFO |
2008-04-17 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_flash-player-5159.nasl - Type : ACT_GATHER_INFO |
2008-04-17 | Name : The remote openSUSE host is missing a security update. File : suse_flash-player-5161.nasl - Type : ACT_GATHER_INFO |
2008-04-10 | Name : The remote Windows host contains a browser plugin that is affected by multipl... File : flash_player_apsb08-11.nasl - Type : ACT_GATHER_INFO |
2008-01-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200801-07.nasl - Type : ACT_GATHER_INFO |
2008-01-04 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_562cf6c4b9f111dca302000102cc8983.nasl - Type : ACT_GATHER_INFO |
2007-12-24 | Name : The remote openSUSE host is missing a security update. File : suse_flash-player-4855.nasl - Type : ACT_GATHER_INFO |
2007-12-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_flash-player-4856.nasl - Type : ACT_GATHER_INFO |
2007-12-19 | Name : The remote Windows host contains a browser plugin that is affected by multipl... File : flash_player_apsb07-20.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-488-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-0316.nasl - Type : ACT_GATHER_INFO |
2007-06-18 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0486.nasl - Type : ACT_GATHER_INFO |
2007-06-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0395.nasl - Type : ACT_GATHER_INFO |
2007-06-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0395.nasl - Type : ACT_GATHER_INFO |
2007-06-12 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-577.nasl - Type : ACT_GATHER_INFO |
2007-06-12 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-576.nasl - Type : ACT_GATHER_INFO |
2007-05-03 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200705-04.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ef2ffb03f2b011dbad250010b5a0a860.nasl - Type : ACT_GATHER_INFO |
2007-04-12 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-083.nasl - Type : ACT_GATHER_INFO |
2006-07-18 | Name : The remote host is missing Sun Security Patch number 122911-37 File : solaris10_122911.nasl - Type : ACT_GATHER_INFO |
2006-07-18 | Name : The remote host is missing Sun Security Patch number 122912-37 File : solaris10_x86_122912.nasl - Type : ACT_GATHER_INFO |
2004-10-17 | Name : The remote host is missing Sun Security Patch number 116973-07 File : solaris8_116973.nasl - Type : ACT_GATHER_INFO |
2004-10-17 | Name : The remote host is missing Sun Security Patch number 116974-07 File : solaris8_x86_116974.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 113146-13 File : solaris9_113146.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 114145-12 File : solaris9_x86_114145.nasl - Type : ACT_GATHER_INFO |