|Description||CRLF injection vulnerability in Adobe Flash Player plugin 9.0.16 and earlier for Windows, 7.0.63 and earlier for Linux, 7.x before 7.0 r67 for Solaris, and before 184.108.40.206 for Mac OS X, allows remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks via CRLF sequences in arguments to the ActionScript functions (1) XML.addRequestHeader and (2) XML.contentType. NOTE: the flexibility of the attack varies depending on the type of web browser being used.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
It is not clear if this is already fix in 220.127.116.11.X (previous version)
or not but it's fix in 18.104.22.168.1 for sure.
[sarge] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)
[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)