Vulnerability Details : CVE-2017-11292
Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.
CVE-2017-11292 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Adobe Flash Player Type Confusion Vulnerability
CISA required action:
The impacted product is end-of-life and should be disconnected if still in use.
CISA description:
Adobe Flash Player contains a type confusion vulnerability which can allow for remote code execution.
Added on
2022-03-03
Action due date
2022-03-24
Exploit prediction scoring system (EPSS) score for CVE-2017-11292
Probability of exploitation activity in the next 30 days: 2.99%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-11292
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-11292
-
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11292
-
https://helpx.adobe.com/security/products/flash-player/apsb17-32.html
Adobe Security BulletinPatch;Vendor Advisory
-
http://www.securitytracker.com/id/1039582
Adobe Flash Player Type Confusion Error Lets Remote Users Execute Arbitrary Code - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:2899
RHSA-2017:2899 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201710-22
Adobe Flash Player: Remote execution of arbitrary code (GLSA 201710-22) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/101286
Adobe Flash Player CVE-2017-11292 Type Confusion Remote Code Execution VulnerabilityBroken Link;Third Party Advisory;VDB Entry
Products affected by CVE-2017-11292
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*
- cpe:2.3:a:adobe:flash_player_desktop_runtime:*:*:*:*:*:*:*:*