Multiple vulnerabilities in Adobe Shockwave Player
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2012-4172 CVE-2012-4173 CVE-2012-4174 CVE-2012-4175 CVE-2012-4176 CVE-2012-5273 |
| CWE-ID | CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Shockwave Player Client/Desktop applications / Plugins for browsers, ActiveX components |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU43375
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-4172
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, and CVE-2012-5273.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86537
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.kb.cert.org/vuls/id/872545
https://exchange.xforce.ibmcloud.com/vulnerabilities/79544
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU43376
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-4173
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4174, CVE-2012-4175, and CVE-2012-5273.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86538
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.kb.cert.org/vuls/id/872545
https://exchange.xforce.ibmcloud.com/vulnerabilities/79545
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU43377
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-4174
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4175, and CVE-2012-5273.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86539
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.kb.cert.org/vuls/id/872545
https://exchange.xforce.ibmcloud.com/vulnerabilities/79546
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU43378
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-4175
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, and CVE-2012-5273.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86540
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.kb.cert.org/vuls/id/872545
https://exchange.xforce.ibmcloud.com/vulnerabilities/79547
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU43379
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-4176
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Array index error in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86542
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.kb.cert.org/vuls/id/872545
https://exchange.xforce.ibmcloud.com/vulnerabilities/79548
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU43380
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-5273
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, and CVE-2012-4175.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.6.6.636
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://osvdb.org/86541
https://www.adobe.com/support/security/bulletins/apsb12-23.html
https://www.securityfocus.com/bid/56187
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
