4.3
CVSSv2

CVE-2014-4671

Published: 09/07/2014 Updated: 22/09/2015
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 470
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

Adobe Flash Player prior to 13.0.0.231 and 14.x prior to 14.0.0.145 on Windows and OS X and prior to 11.2.202.394 on Linux, Adobe AIR prior to 14.0.0.137 on Android, Adobe AIR SDK prior to 14.0.0.137, and Adobe AIR SDK & Compiler prior to 14.0.0.137 do not properly restrict the SWF file format, which allows remote malicious users to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

adobe flash_player 11.2.202.223

adobe flash_player 11.2.202.228

adobe flash_player 11.2.202.233

adobe flash_player 11.2.202.235

adobe flash_player 11.2.202.236

adobe flash_player 11.2.202.238

adobe flash_player 11.2.202.243

adobe flash_player 11.2.202.251

adobe flash_player 11.2.202.258

adobe flash_player 11.2.202.261

adobe flash_player 11.2.202.262

adobe flash_player 11.2.202.270

adobe flash_player 11.2.202.273

adobe flash_player 11.2.202.275

adobe flash_player 11.2.202.280

adobe flash_player 11.2.202.285

adobe flash_player 11.2.202.291

adobe flash_player 11.2.202.297

adobe flash_player 11.2.202.310

adobe flash_player 11.2.202.332

adobe flash_player 11.2.202.335

adobe flash_player 11.2.202.336

adobe flash_player 11.2.202.341

adobe flash_player 11.2.202.346

adobe flash_player 11.2.202.350

adobe flash_player 11.2.202.356

adobe flash_player 11.2.202.359

adobe flash_player

adobe adobe air 13.0.0.83

adobe adobe air 13.0.0.111

adobe adobe air

adobe adobe air sdk 13.0.0.83

adobe adobe air sdk 13.0.0.111

adobe adobe air sdk

adobe flash_player 13.0.0.182

adobe flash_player 13.0.0.201

adobe flash_player 13.0.0.206

adobe flash_player 13.0.0.214

adobe flash_player 14.0.0.125

Vendor Advisories

A flaw was found that would lead to Cross-Site Request Forgery (CSRF) attacks ...

Metasploit Modules

Flash "Rosetta" JSONP GET/POST Response Disclosure

A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < 14.0.0.145 is required. This module spins up a web server that, upon navigation from a user, attempts to abuse the specified JSONP endpoint URLs by stealing the response from GET requests to STEAL_URLS.

msf > use auxiliary/gather/flash_rosetta_jsonp_url_disclosure
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show actions
            ...actions...
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > set ACTION <action-name>
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show options
            ...show and set options...
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > run

Github Repositories

A tool for manipulating SWF files, leveraging zlib to craft alphanumeric-only valid SWF files in order to allow CSRF with SOP bypass thanks to JSONP abuse.

Rosetta Flash (CVE-2014-4671) Adobe Flash Player before 1300231 and 14x before 1400145 on Windows and OS X and before 112202394 on Linux, Adobe AIR before 1400137 on Android, Adobe AIR SDK before 1400137, and Adobe AIR SDK &amp; Compiler before 1400137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site reques