Multiple vulnerabilities in Adobe Digital Editions
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2017-3088 CVE-2017-3089 CVE-2017-3093 CVE-2017-3096 CVE-2017-3090 CVE-2017-3092 CVE-2017-3097 CVE-2017-3094 CVE-2017-3095 |
| CWE-ID | CWE-119 CWE-426 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Adobe Digital Editions Client/Desktop applications / Multimedia software |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU7025
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3088
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU7026
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3089
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU7027
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3093
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory corruption
EUVDB-ID: #VU7028
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3096
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Insecure DLL library loading
EUVDB-ID: #VU7029
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3090
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Insecure DLL library loading
EUVDB-ID: #VU7030
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3092
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Insecure DLL library loading
EUVDB-ID: #VU7031
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3097
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bound read
EUVDB-ID: #VU7032
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3094
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to out-of-bounds read. A remote attacker trigger memory corruption and gain access to memory address.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bound read
EUVDB-ID: #VU7033
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3095
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to out-of-bounds read. A remote attacker trigger memory corruption and gain access to memory address.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 4.5.5.
Vulnerable software versionsAdobe Digital Editions: 4.0 - 4.5.4
CPE2.3- cpe:2.3:a:adobe:adobe_digital_editions:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_digital_editions:4.0.2:*:*:*:*:*:*:*
https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
