CVE-2009-0520
Adobe Flash Player 9/10 - Invalid Object Reference Remote Code Execution
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file, related to a "buffer overflow issue."
Adobe Flash Player v9.x anteriores a v9.0.159.0 y 10.x before 10.0.22.87 no elimina apropiadamente referencias a objetos destruidos durante el procesado de un archivo Shockwave Flash, lo que permite a los atacantes remotos ejecutar arbitrariamente código a través de un fichero manipulado, en relación a un "asunto de desbordamiento de búfer".
Remote exploitation of a invalid object reference vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user. During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control. iDefense has confirmed the existence of this vulnerability in latest version of Flash Player, version 9.0.124.0. Previous versions may also be affected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-02-10 CVE Reserved
- 2009-02-25 CVE Published
- 2014-04-11 First Exploit
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (25)
| URL | Tag | Source |
|---|---|---|
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773 | Third Party Advisory | |
| http://secunia.com/advisories/34012 | Third Party Advisory | |
| http://secunia.com/advisories/34226 | Third Party Advisory | |
| http://secunia.com/advisories/34293 | Third Party Advisory | |
| http://secunia.com/advisories/35074 | Third Party Advisory | |
| http://securitytracker.com/id?1021750 | Vdb Entry | |
| http://support.apple.com/kb/HT3549 | X_refsource_confirm |
|
| http://www.us-cert.gov/cas/techalerts/TA09-133A.html | Third Party Advisory | |
| http://www.vupen.com/english/advisories/2009/0743 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2009/1297 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/48887 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16057 | Signature | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6593 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/32811 | 2014-04-11 |
| URL | Date | SRC |
|---|---|---|
| http://isc.sans.org/diary.html?storyid=5929 | 2017-09-29 | |
| http://www.adobe.com/support/security/bulletins/apsb09-01.html | 2017-09-29 | |
| http://www.securityfocus.com/bid/33880 | 2017-09-29 | |
| http://www.vupen.com/english/advisories/2009/0513 | 2017-09-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Adobe Search vendor "Adobe" | Air Search vendor "Adobe" for product "Air" | 1.5 Search vendor "Adobe" for product "Air" and version "1.5" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | <= 10.0.12.36 Search vendor "Adobe" for product "Flash Player" and version " <= 10.0.12.36" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0 Search vendor "Adobe" for product "Flash Player" and version "7.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.1 Search vendor "Adobe" for product "Flash Player" and version "7.0.1" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.25 Search vendor "Adobe" for product "Flash Player" and version "7.0.25" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.63 Search vendor "Adobe" for product "Flash Player" and version "7.0.63" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.63 Search vendor "Adobe" for product "Flash Player" and version "7.0.63" | linux |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.69.0 Search vendor "Adobe" for product "Flash Player" and version "7.0.69.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.0.70.0 Search vendor "Adobe" for product "Flash Player" and version "7.0.70.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.1 Search vendor "Adobe" for product "Flash Player" and version "7.1" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.1.1 Search vendor "Adobe" for product "Flash Player" and version "7.1.1" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 7.2 Search vendor "Adobe" for product "Flash Player" and version "7.2" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0 Search vendor "Adobe" for product "Flash Player" and version "8.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0 Search vendor "Adobe" for product "Flash Player" and version "8.0" | basic |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0 Search vendor "Adobe" for product "Flash Player" and version "8.0" | pro |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0.24.0 Search vendor "Adobe" for product "Flash Player" and version "8.0.24.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0.34.0 Search vendor "Adobe" for product "Flash Player" and version "8.0.34.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0.35.0 Search vendor "Adobe" for product "Flash Player" and version "8.0.35.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 8.0.39.0 Search vendor "Adobe" for product "Flash Player" and version "8.0.39.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.16 Search vendor "Adobe" for product "Flash Player" and version "9.0.16" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.20 Search vendor "Adobe" for product "Flash Player" and version "9.0.20" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.20.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.20.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.28 Search vendor "Adobe" for product "Flash Player" and version "9.0.28" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.28.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.28.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.31.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.31.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.45.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.45.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.47.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.47.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.48.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.48.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.112.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.112.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.114.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.114.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.115.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.115.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 9.0.124.0 Search vendor "Adobe" for product "Flash Player" and version "9.0.124.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 10.0.0.584 Search vendor "Adobe" for product "Flash Player" and version "10.0.0.584" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | 10.0.12.10 Search vendor "Adobe" for product "Flash Player" and version "10.0.12.10" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | cs3 Search vendor "Adobe" for product "Flash Player" and version "cs3" | pro |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player Search vendor "Adobe" for product "Flash Player" | cs4 Search vendor "Adobe" for product "Flash Player" and version "cs4" | pro |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flash Player For Linux Search vendor "Adobe" for product "Flash Player For Linux" | <= 10.0.15.3 Search vendor "Adobe" for product "Flash Player For Linux" and version " <= 10.0.15.3" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Flex Search vendor "Adobe" for product "Flex" | 3.0 Search vendor "Adobe" for product "Flex" and version "3.0" | - |
Affected
| ||||||