製品・ソフトウェアに関する情報

JVN脆弱性詳細

Adobe Flash Player におけるセキュリティを回避される脆弱性

Title	Adobe Flash Player におけるセキュリティを回避される脆弱性
Summary	Adobe Flash Player には、URL リダイレクトを実行する際、セキュリティを回避され、情報を公開される脆弱性が存在します。
Possible impacts	セキュリティを回避され、情報を公開される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 8, 2017, midnight
Registration Date	Aug. 17, 2017, 11:58 a.m.
Last Update	Aug. 17, 2017, 11:58 a.m.

Affected System

アドビシステムズ

Adobe Flash Player 26.0.0.151 未満 (Windows 10/8.1 版の Microsoft Edge/Internet Explorer 11)

Adobe Flash Player 26.0.0.151 未満 (Windows/Macintosh/Linux/Chrome OS 版の Chrome)

Adobe Flash Player デスクトップランタイム 26.0.0.151 未満 (Linux)

Adobe Flash Player デスクトップランタイム 26.0.0.151 未満 (Windows/Macintosh)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-3085	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3085
National Vulnerability Database (NVD)
2	CVE-2017-3085	https://nvd.nist.gov/vuln/detail/CVE-2017-3085

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Adobe Security Bulletin
1	APSB17-23	https://helpx.adobe.com/security/products/flash-player/apsb17-23.html
Adobe セキュリティ情報
2	APSB17-23	https://helpx.adobe.com/jp/security/products/flash-player/apsb17-23.html
Google
3	Chrome Releases	http://googlechromereleases.blogspot.jp/
4	Google Chrome	https://www.google.com/intl/ja/chrome/browser/features.html
5	Google Chrome を更新する	https://support.google.com/chrome/answer/95414?hl=ja
Security TechCenter
6	ADV170010 \| August 2017 Flash Update	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170010
セキュリティテックセンター
7	ADV170010 \| 2017 年 8 月アップデート	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/ADV170010
富士通セキュリティ情報
8	アドビシステムズ社 Adobe Flash Player の脆弱性に関するお知らせ	http://www.fmworld.net/biz/common/adobe/20170810f.html

その他

No	Name	URL
IPA 重要なセキュリティ情報
1	Adobe Flash Player の脆弱性対策について(APSB17-23)(CVE-2017-3085等)	https://www.ipa.go.jp/security/ciadr/vul/20170809-adobeflashplayer.html
JPCERT 注意喚起
2	JPCERT-AT-2017-0030	http://www.jpcert.or.jp/at/2017/at170030.html

Change Log

No	Changed Details	Date of change
0	[2017年08月17日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-3085

Summary	Adobe Flash Player versions 26.0.0.137 and earlier have a security bypass vulnerability that leads to information disclosure when performing URL redirect.
Publication Date	Aug. 12, 2017, 4:29 a.m.
Registration Date	Jan. 26, 2021, 1:23 p.m.
Last Update	Nov. 21, 2024, 12:24 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:adobe:flash_player_desktop_runtime::::::::			26.0.0.137
execution environment
1	cpe:2.3:o:apple:mac_os_x:-:::::::*
2	cpe:2.3:o:linux:linux_kernel:-:::::::*
3	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:adobe:flash_player::::::edge::*			26.0.0.137
cpe:2.3:a:adobe:flash_player::::::internet_explorer::*			26.0.0.137
execution environment
1	cpe:2.3:o:microsoft:windows_10:-:::::::*
2	cpe:2.3:o:microsoft:windows_8.1:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:adobe:flash_player::::::chrome::*			26.0.0.137
execution environment
1	cpe:2.3:o:apple:mac_os_x:-:::::::*
2	cpe:2.3:o:google:chrome_os:-:::::::*
3	cpe:2.3:o:linux:linux_kernel:-:::::::*
4	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/100191	Broken Link Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/100191	Broken Link Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1039088	Broken Link Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1039088	Broken Link Third Party Advisory VDB Entry
5	http://www.zerodayinitiative.com/advisories/ZDI-17-634/	Third Party Advisory VDB Entry
6	http://www.zerodayinitiative.com/advisories/ZDI-17-634/	Third Party Advisory VDB Entry
7	https://access.redhat.com/errata/RHSA-2017:2457	Third Party Advisory
8	https://access.redhat.com/errata/RHSA-2017:2457	Third Party Advisory
9	https://blog.bjornweb.nl/2017/08/flash-remote-sandbox-escape-windows-user-credentials-leak/	Exploit Technical Description Third Party Advisory
10	https://blog.bjornweb.nl/2017/08/flash-remote-sandbox-escape-windows-user-credentials-leak/	Exploit Technical Description Third Party Advisory
11	https://helpx.adobe.com/security/products/flash-player/apsb17-23.html	Patch Vendor Advisory
12	https://helpx.adobe.com/security/products/flash-player/apsb17-23.html	Patch Vendor Advisory
13	https://security.gentoo.org/glsa/201709-16	Third Party Advisory
14	https://security.gentoo.org/glsa/201709-16	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-601	オープンリダイレクト	https://cwe.mitre.org/data/definitions/601.html