CVE-2015-0310
Published: 23 January 2015
Summary
CVE-2015-0310 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions prior to 13.0.0.262, 14.x through 16.x prior to 16.0.0.287 on Windows and OS X, and prior to 11.2.202.438 on Linux contain a flaw that fails to properly restrict discovery of memory addresses. This weakness is tracked under CVE-2015-0310 with a CVSS 3.1 base score of 7.8 and is associated with CWE-200 information disclosure.
Attackers can leverage the issue through unknown vectors to bypass ASLR on Windows systems and obtain an unspecified impact on other platforms. The vulnerability was actively exploited in the wild during January 2015, enabling local attackers with the ability to supply crafted Flash content to weaken memory protections and facilitate further compromise.
Adobe addressed the flaw in security bulletin APSB15-02, which provides updated Flash Player builds for all affected platforms; multiple Secunia advisories also reference the same remediation steps and urge immediate application of the patches. The issue saw real-world exploitation shortly after disclosure, underscoring the need for rapid deployment of the vendor fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-0323
Vulnerability details
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows,…
more
and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that remediate the memory-address disclosure flaw in Adobe Flash Player.
Enforces memory-protection mechanisms such as ASLR that the vulnerability is explicitly designed to bypass.
Restricts use of mobile code (Flash) and thereby reduces the attack surface that supplies the crafted content used to exploit the flaw.