Flash Player access restriction bypass vulnerability


Flash Player contains an access restriction bypass vulnerability.

When Flash Player references a different website than the site where Flash contents are hosted, the referenced site must be allowed access by the cross-domain policy file.

Flash Player contains a vulnerability where access restrictions set by the cross-domain policy file may be bypassed.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Apple Inc.
  • Apple Mac OS X v10.5.8
  • Apple Mac OS X v10.6 through v10.6.4
  • Apple Mac OS X Server v10.5.8
  • Apple Mac OS X Server v10.6 through v10.6.4
Adobe Systems, Inc.
  • Adobe Flash Player and earlier for Windows, Macintosh, Linux, and Solaris
  • Adobe Flash Player for Android
Oracle Corporation
  • Oracle Solaris 10
  • Oracle Solaris 11 Express
Red Hat, Inc.
  • Red Hat Enterprise Linux Extras 4 extras
  • Red Hat Enterprise Linux Extras 4.8.z extras
  • Red Hat Enterprise Linux Server Supplementary 6
  • Red Hat Enterprise Linux Workstation Supplementary 6
  • RHEL Desktop Supplementary 6
  • RHEL Desktop Supplementary 5 (client)
  • RHEL Supplementary 5 (server)


Cross-domain policy restrictions can be bypassed by using a specially crafted web page. This could result in unauthorized access to website data.

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Apple Inc.
  • Apple Security Updates : HT4435
Adobe Systems, Inc. Oracle Corporation Red Hat, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-3636

  1. JVN : JVN#48425028
  2. JVN : JVNVU#331391 (Japanese)
  3. National Vulnerability Database (NVD) : CVE-2010-3636
  4. Secunia Advisory : SA42183
  5. SecurityFocus : 44691
  6. VUPEN Security : VUPEN/ADV-2010-2903
  7. VUPEN Security : VUPEN/ADV-2010-2906
  8. VUPEN Security : VUPEN/ADV-2010-2918
Revision History

  • [2010/11/09]
      Web page published
      Affected Products : Added Apple Inc (HT4435)
      Affected Products : Added Red Hat, Inc. (RHSA-2010:0829)
      Affected Products : Added Red Hat, Inc. (RHSA-2010:0834)
      Affected Products : Added Red Hat, Inc. (RHSA-2010:0867)
      Vendor Information : Added Apple Inc (HT4435)
      Vendor Information : Added Red Hat, Inc. (RHSA-2010:0829)
      Vendor Information : Added Red Hat, Inc. (RHSA-2010:0834)
      Vendor Information : Added Red Hat, Inc. (RHSA-2010:0867)
      Affected Products : Added Oracle Corporation (multiple_vulnerabilities_in_adobe_flash1)
      Vendor Information : Added Oracle Corporation (multiple_vulnerabilities_in_adobe_flash1)