Vulnerability Details : CVE-2014-0502
Potential exploit
Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.
Vulnerability category: Memory CorruptionExecute code
Products affected by CVE-2014-0502
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
CVE-2014-0502 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Adobe Flash Player Double Free Vulnerablity
CISA required action:
The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
CISA description:
Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code.
Notes:
https://www.adobe.com/products/flashplayer/end-of-life-alternative.html#eol-alternative-faq ; https://nvd.nist.gov/vuln/detail/CVE-2014-0502
Added on
2024-09-17
Action due date
2024-10-08
Exploit prediction scoring system (EPSS) score for CVE-2014-0502
35.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0502
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-09-18 |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | 2024-09-19 |
CWE ids for CVE-2014-0502
-
Assigned by: nvd@nist.gov (Primary)
-
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2014-0502
-
http://rhn.redhat.com/errata/RHSA-2014-0196.html
RHSA-2014:0196 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
Adobe Security BulletinBroken Link;Patch;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html
[security-announce] SUSE-SU-2014:0290-1: critical: Security update for fMailing List
-
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html
[security-announce] openSUSE-SU-2014:0278-1: critical: flash-player: updMailing List
-
https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html
Volatility Labs: Building a Decoder for the CVE-2014-0502 ShellcodeExploit;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html
[security-announce] openSUSE-SU-2014:0277-1: critical: flash-player: updMailing List
-
http://security.gentoo.org/glsa/glsa-201405-04.xml
Adobe Flash Player: Multiple vulnerabilities (GLSA 201405-04) — Gentoo securityThird Party Advisory
-
http://www.alienvault.com/open-threat-exchange/blog/analysis-of-an-attack-exploiting-the-adobe-zero-day-cve-2014-0502/
Analysis of an attack exploiting the Adobe Zero-day - CVE-2014-0502 | AT&T Alien LabsExploit;Third Party Advisory
Jump to