NVD Vulnerability Detail

CVE-2009-3951

Summary	Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 on Windows allows remote attackers to obtain the names of local files via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4820.
Publication Date	Dec. 11, 2009, 4:30 a.m.
Registration Date	Jan. 29, 2021, 1:25 p.m.
Last Update	Oct. 31, 2018, 1:26 a.m.

CVSS2.0 : HIGH
Score	7.1
Vector	AV:N/AC:M/Au:N/C:C/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:adobe:adobe_air:1.0:::::::*
cpe:2.3:a:adobe:adobe_air:1.0.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.5.1:::::::*
cpe:2.3:a:adobe:adobe_air::::::::		1.5.2
cpe:2.3:a:adobe:flash_player:7.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.1:::::::*
cpe:2.3:a:adobe:flash_player:7.0.25:::::::*
cpe:2.3:a:adobe:flash_player:7.0.63:::::::*
cpe:2.3:a:adobe:flash_player:7.0.69.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.70.0:::::::*
cpe:2.3:a:adobe:flash_player:7.1:::::::*
cpe:2.3:a:adobe:flash_player:7.1.1:::::::*
cpe:2.3:a:adobe:flash_player:7.2:::::::*
cpe:2.3:a:adobe:flash_player:8::pro:::::
cpe:2.3:a:adobe:flash_player:8::professional:::::
cpe:2.3:a:adobe:flash_player:8.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0::basic:::::
cpe:2.3:a:adobe:flash_player:8.0::pro:::::
cpe:2.3:a:adobe:flash_player:8.0.24.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.34.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.35.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.39.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.16:::::::*
cpe:2.3:a:adobe:flash_player:9.0.18d60:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.45.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.47.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.48.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.112.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.114.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.115.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.124.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.155.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.159.0:::::::*
cpe:2.3:a:adobe:flash_player:9.125.0:::::::*
cpe:2.3:a:adobe:flash_player:10.0.0.584:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.10:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.36:::::::*
cpe:2.3:a:adobe:flash_player:10.0.22.87:::::::*
cpe:2.3:a:adobe:flash_player::::::::		10.0.32.18

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html	APPLE
2	http://lists.opensuse.org/opensuse-security-announce/2009-12/msg00003.html	SUSE
3	http://osvdb.org/60891	OSVDB
4	http://secunia.com/advisories/37584	SECUNIA	Vendor Advisory
5	http://secunia.com/advisories/37902	SECUNIA
6	http://secunia.com/advisories/38241	SECUNIA
7	http://securitytracker.com/id?1023307	SECTRACK	Patch
8	http://support.apple.com/kb/HT4004	CONFIRM
9	http://www.adobe.com/support/security/bulletins/apsb09-19.html	CONFIRM	Patch Vendor Advisory
10	http://www.securityfocus.com/bid/37199	BID
11	http://www.us-cert.gov/cas/techalerts/TA09-343A.html	CERT	US Government Resource
12	http://www.vupen.com/english/advisories/2009/3456	VUPEN	Patch Vendor Advisory
13	http://www.vupen.com/english/advisories/2010/0173	VUPEN
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/54637	XF
15	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6663	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Windows 上で稼動する Adobe Flash Player および Adobe AIR の Flash Player の ActiveX コントロールにおけるローカルファイルのファイル名を取得される脆弱性

Title	Windows 上で稼動する Adobe Flash Player および Adobe AIR の Flash Player の ActiveX コントロールにおけるローカルファイルのファイル名を取得される脆弱性
Summary	Windows 上で稼動する Adobe Flash Player および Adobe AIR の Flash Player の ActiveX コントロールには、ローカルファイルのファイル名を取得される脆弱性が存在します。
Possible impacts	第三者により、ローカルファイルのファイル名を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 8, 2009, midnight
Registration Date	Jan. 19, 2010, 3:55 p.m.
Last Update	Feb. 10, 2010, 1:36 p.m.

Affected System

アドビシステムズ

Adobe AIR 1.5.2 およびそれ以前

Adobe Flash Player 10.0.32.18 およびそれ以前

アップル

Apple Mac OS X v10.5.8

Apple Mac OS X v10.6.2

Apple Mac OS X Server v10.5.8

Apple Mac OS X Server v10.6.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3951	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3951
National Vulnerability Database (NVD)
2	CVE-2009-3951	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3951

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Adobe Security Bulletin
1	APSB09-19	http://www.adobe.com/support/security/bulletins/apsb09-19.html
Adobe セキュリティ情報
2	APSB09-19	http://www.adobe.com/jp/support/security/bulletins/apsb09-19.html
Apple Security Updates
3	HT4004	http://support.apple.com/kb/HT4004
Apple セキュリティアップデート
4	HT4004	http://support.apple.com/kb/HT4004?viewlocale=ja_JP

その他

No	Name	URL
ISS X-Force Database
1	54637	http://xforce.iss.net/xforce/xfdb/54637
JPCERT 緊急報告
2	JPCERT-AT-2009-0026	http://www.jpcert.or.jp/at/2009/at090026.txt
JVN
3	JVNTA09-343A	http://jvn.jp/cert/JVNTA09-343A/
JVN Status Tracking Notes
4	JVNTR-2009-28	http://jvn.jp/tr/JVNTR-2009-28/index.html
OPEN SOURCE VULNERABILITY DATABASE (OSVDB)
5	60891	http://osvdb.org/60891
Secunia Advisory
6	SA37584	http://secunia.com/advisories/37584
SecurityFocus
7	37272	http://www.securityfocus.com/bid/37272
SecurityTracker
8	1023307	http://securitytracker.com/id?1023307
US-CERT Cyber Security Alerts
9	SA09-343A	http://www.us-cert.gov/cas/alerts/SA09-343A.html
US-CERT Technical Cyber Security Alert
10	TA09-343A	http://www.us-cert.gov/cas/techalerts/TA09-343A.html
VUPEN Security
11	VUPEN/ADV-2009-3456	http://www.vupen.com/english/advisories/2009/3456
警察庁 @police
12	アドビシステムズ社の Adobe Flash Player および Adobe AIR のセキュリティ修正プログラムについて	http://www.npa.go.jp/cyberpolice/#topics

Change Log

No	Changed Details	Date of change
0	[2010年01月19日] 掲載 [2010年02月10日] 影響を受けるシステム：アップル (HT4004) の情報を追加ベンダ情報：アップル (HT4004) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:adobe:adobe_air:1.0:::::::*
cpe:2.3:a:adobe:adobe_air:1.0.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.5.1:::::::*
cpe:2.3:a:adobe:adobe_air::::::::		1.5.2
cpe:2.3:a:adobe:flash_player:7.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.1:::::::*
cpe:2.3:a:adobe:flash_player:7.0.25:::::::*
cpe:2.3:a:adobe:flash_player:7.0.63:::::::*
cpe:2.3:a:adobe:flash_player:7.0.69.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.70.0:::::::*
cpe:2.3:a:adobe:flash_player:7.1:::::::*
cpe:2.3:a:adobe:flash_player:7.1.1:::::::*
cpe:2.3:a:adobe:flash_player:7.2:::::::*
cpe:2.3:a:adobe:flash_player:8::pro:::::
cpe:2.3:a:adobe:flash_player:8::professional:::::
cpe:2.3:a:adobe:flash_player:8.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0::basic:::::
cpe:2.3:a:adobe:flash_player:8.0::pro:::::
cpe:2.3:a:adobe:flash_player:8.0.24.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.34.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.35.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.39.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.16:::::::*
cpe:2.3:a:adobe:flash_player:9.0.18d60:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.45.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.47.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.48.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.112.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.114.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.115.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.124.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.155.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.159.0:::::::*
cpe:2.3:a:adobe:flash_player:9.125.0:::::::*
cpe:2.3:a:adobe:flash_player:10.0.0.584:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.10:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.36:::::::*
cpe:2.3:a:adobe:flash_player:10.0.22.87:::::::*
cpe:2.3:a:adobe:flash_player::::::::		10.0.32.18