CVE-2015-8651
Published: 28 December 2015
Summary
CVE-2015-8651 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Suse Linux Enterprise Desktop. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2015-8651 is an integer overflow, tracked as CWE-190, that affects Adobe Flash Player versions before 18.0.0.324 as well as 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux. It also impacts Adobe AIR, Adobe AIR SDK, and Adobe AIR SDK & Compiler before 20.0.0.233. The flaw received a CVSS 3.1 score of 8.8.
An attacker can exploit the issue over the network with low complexity and no authentication, provided the victim performs some user interaction, to execute arbitrary code and thereby gain full control over confidentiality, integrity, and availability on the affected system.
Security advisories published by openSUSE and Red Hat for this vulnerability direct administrators to apply the updated Flash Player and AIR packages referenced in the respective errata to remediate the exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-8528
Vulnerability details
Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before…
more
20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches to remediate the integer-overflow flaw in Flash Player/AIR before exploitation occurs.
Establishes usage restrictions and implementation guidance for mobile code technologies such as Adobe Flash, blocking vulnerable versions from executing.
Enforces least functionality by disabling or removing unnecessary Flash Player/AIR components that contain the integer-overflow vulnerability.