Vulnerability CVE-2015-5571: Information

Description

Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333.

Severity: MEDIUM (4.3)

URL: https://nvd.nist.gov/vuln/detail/CVE-2015-5571

Published: Sept. 22, 2015

Modified: Feb. 17, 2017

Error type identifier: CWE-352, CWE-200

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
adobe-flash-player	p9	11-alt53	32-alt1110	ALT-PU-2015-1803-1	150378	Fixed
adobe-flash-player	c9f2	11-alt53	32-alt117	ALT-PU-2015-1803-1	150378	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html	Patch Vendor Advisory
76803
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04939841
GLSA-201509-07
openSUSE-SU-2015:1781
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05356388
1033629
RHSA-2015:1814
SUSE-SU-2015:1618
openSUSE-SU-2015:1616
SUSE-SU-2015:1614
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

Affected configurations:
1. Configuration 1
  cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:17.0.0.191:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:18.0.0.203:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:18.0.0.209:*:*:*:*:*:*:*
  cpe:2.3:a:adobe:flash_player:18.0.0.232:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

Version: v24.4.2

Vulnerability CVE-2015-5571: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4