CVE-2008-5499 : Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, and 9.0.151.0 and earlier, allows remote attackers

Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, and 9.0.151.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file.

Published 2008-12-18 00:30:00

Updated 2017-08-08 01:33:20

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2008-5499

Probability of exploitation activity in the next 30 days: 96.89%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2008-5499

Adobe Flash Player ActionScript Launch Command Execution Vulnerability

Disclosure Date: 2008-12-17

First seen: 2020-04-26

exploit/linux/browser/adobe_flashplayer_aslaunch

This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments

More information

CVSS scores for CVE-2008-5499

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2008-5499

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-5499

http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00006.html
http://www.redhat.com/support/errata/RHSA-2008-1047.html
http://www.adobe.com/support/security/bulletins/apsb08-24.html

Adobe - Security Advisories : APSB08-24 - Security update available for Linux Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
Patch;Vendor Advisory
http://www.securitytracker.com/id?1021458
http://www.vupen.com/english/advisories/2008/3449
http://security.gentoo.org/glsa/glsa-200903-23.xml

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/47445
http://www.securityfocus.com/bid/32896

Adobe Flash Player Remote Command Execution Vulnerability

Products affected by CVE-2008-5499

Adobe » Flash Player For Linux
Versions up to, including, (<=) 9.0.151.0
cpe:2.3:a:adobe:flash_player_for_linux:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel
Adobe » Flash Player For Linux » Version: 10.0.12.36
cpe:2.3:a:adobe:flash_player_for_linux:10.0.12.36:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel
Adobe » Flash Player For Linux » Version: 9.0.124.0
cpe:2.3:a:adobe:flash_player_for_linux:9.0.124.0:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel
Adobe » Flash Player For Linux » Version: 9.0.115.0
cpe:2.3:a:adobe:flash_player_for_linux:9.0.115.0:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel
Adobe » Flash Player For Linux » Version: 9.0.48.0
cpe:2.3:a:adobe:flash_player_for_linux:9.0.48.0:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel
Adobe » Flash Player For Linux » Version: 9.0.31
cpe:2.3:a:adobe:flash_player_for_linux:9.0.31:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel