CVE-2013-0643
Published: 27 February 2013
Summary
CVE-2013-0643 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2013-0643 is an improper privilege restriction issue (CWE-269) in the Firefox sandbox implementation within Adobe Flash Player. It affects versions before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, as well as versions before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, and carries a CVSS 3.1 score of 8.8.
Remote attackers can exploit the flaw by serving crafted SWF content that bypasses sandbox restrictions, resulting in arbitrary code execution on the target system. No user privileges are required beyond visiting a malicious page or opening malicious content, and the issue was observed being exploited in the wild in February 2013.
Security advisories and patches from Adobe (APSB13-08), Red Hat (RHSA-2013-0574), and openSUSE direct administrators to apply the updated Flash Player releases that enforce proper sandbox privileges.
The flaw's public exploitation in February 2013 underscores the need for rapid patching of Flash deployments in browser environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0654
Vulnerability details
The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers…
more
to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
- CWE(s)
- KEV Date Added
- 17 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of Adobe-supplied Flash Player patches that correct the sandbox privilege enforcement flaw.
Enforces least-privilege restrictions on the Flash sandbox, directly mitigating the CWE-269 improper privilege assignment that enables arbitrary code execution.
Controls the execution and privileges of mobile code (SWF) within browsers, limiting the attack surface exploited by crafted Flash content.