CVE Vulnerabilities

CVE-2014-4671

Cross-Site Request Forgery (CSRF)

Published: Jul 09, 2014 | Modified: Sep 22, 2015
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V3
Ubuntu
MEDIUM

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

Weakness

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Affected Software

Name Vendor Start Version End Version
Flash_player Adobe * 11.2.202.378 (including)
Flash_player Adobe 11.2.202.223 (including) 11.2.202.223 (including)
Flash_player Adobe 11.2.202.228 (including) 11.2.202.228 (including)
Flash_player Adobe 11.2.202.233 (including) 11.2.202.233 (including)
Flash_player Adobe 11.2.202.235 (including) 11.2.202.235 (including)
Flash_player Adobe 11.2.202.236 (including) 11.2.202.236 (including)
Flash_player Adobe 11.2.202.238 (including) 11.2.202.238 (including)
Flash_player Adobe 11.2.202.243 (including) 11.2.202.243 (including)
Flash_player Adobe 11.2.202.251 (including) 11.2.202.251 (including)
Flash_player Adobe 11.2.202.258 (including) 11.2.202.258 (including)
Flash_player Adobe 11.2.202.261 (including) 11.2.202.261 (including)
Flash_player Adobe 11.2.202.262 (including) 11.2.202.262 (including)
Flash_player Adobe 11.2.202.270 (including) 11.2.202.270 (including)
Flash_player Adobe 11.2.202.273 (including) 11.2.202.273 (including)
Flash_player Adobe 11.2.202.275 (including) 11.2.202.275 (including)
Flash_player Adobe 11.2.202.280 (including) 11.2.202.280 (including)
Flash_player Adobe 11.2.202.285 (including) 11.2.202.285 (including)
Flash_player Adobe 11.2.202.291 (including) 11.2.202.291 (including)
Flash_player Adobe 11.2.202.297 (including) 11.2.202.297 (including)
Flash_player Adobe 11.2.202.310 (including) 11.2.202.310 (including)
Flash_player Adobe 11.2.202.332 (including) 11.2.202.332 (including)
Flash_player Adobe 11.2.202.335 (including) 11.2.202.335 (including)
Flash_player Adobe 11.2.202.336 (including) 11.2.202.336 (including)
Flash_player Adobe 11.2.202.341 (including) 11.2.202.341 (including)
Flash_player Adobe 11.2.202.346 (including) 11.2.202.346 (including)
Flash_player Adobe 11.2.202.350 (including) 11.2.202.350 (including)
Flash_player Adobe 11.2.202.356 (including) 11.2.202.356 (including)
Flash_player Adobe 11.2.202.359 (including) 11.2.202.359 (including)
Supplementary for Red Hat Enterprise Linux 5 RedHat flash-plugin-0:11.2.202.394-1.el5 *
Supplementary for Red Hat Enterprise Linux 6 RedHat flash-plugin-0:11.2.202.394-1.el6 *
Adobe-flashplugin Ubuntu lucid *
Adobe-flashplugin Ubuntu precise *
Adobe-flashplugin Ubuntu saucy *
Adobe-flashplugin Ubuntu trusty *
Adobe-flashplugin Ubuntu upstream *
Flashplugin-nonfree Ubuntu devel *
Flashplugin-nonfree Ubuntu lucid *
Flashplugin-nonfree Ubuntu precise *
Flashplugin-nonfree Ubuntu saucy *
Flashplugin-nonfree Ubuntu trusty *
Flashplugin-nonfree Ubuntu upstream *

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
  • Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
  • Use the “double-submitted cookie” method as described by Felten and Zeller:
  • When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
  • Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
  • This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]

References