Multiple vulnerabilities in Adobe Acrobat and Reader



Published: 2021-07-13
Risk High
Patch available YES
Number of vulnerabilities 19
CVE ID CVE-2021-35988
CVE-2021-28638
CVE-2021-28635
CVE-2021-35981
CVE-2021-35983
CVE-2021-28634
CVE-2021-28636
CVE-2021-35984
CVE-2021-35985
CVE-2021-35986
CVE-2021-35987
CVE-2021-28637
CVE-2021-28642
CVE-2021-28639
CVE-2021-28641
CVE-2021-28643
CVE-2021-28640
CVE-2021-28644
CVE-2021-35980
CWE ID CWE-125
CWE-122
CWE-416
CWE-78
CWE-427
CWE-476
CWE-843
CWE-787
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Adobe Acrobat DC
Client/Desktop applications / Office applications

Adobe Acrobat Reader DC
Client/Desktop applications / Office applications

Adobe Acrobat
Client/Desktop applications / Office applications

Adobe Acrobat Reader
Client/Desktop applications / Office applications

Vendor Adobe

Security Advisory

1) Out-of-bounds read

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35988

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28638

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a heap-based buffer overflow and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28635

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-35981

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-35983

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Command injection

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28634

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation. A local user can execute arbitrary OS commands and escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Insecure DLL loading

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28636

CWE-ID: CWE-427 - Uncontrolled Search Path Element

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) NULL pointer dereference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35984

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35985

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-35986

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds read

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35987

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Out-of-bounds read

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28637

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Out-of-bounds write

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28642

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger an Out-of-bounds write error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28639

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28641

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Type confusion

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28643

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28640

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Path traversal

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-28644

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Path traversal

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-35980

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat Reader DC: 2020.001.30020, 2020.001.30025, 2020.004.30005, 2020.006.20034, 2020.006.20042, 2020.009.20063, 2020.009.20074, 2020.012.20041, 2020.012.20048, 2020.013.20064, 2020.013.20066, 2020.013.20074, 2021.001.20135, 2021.001.20149, 2021.001.20150, 2021.001.20155, 2021.005.20054, 2021.005.20148

Adobe Acrobat: 2017.008.30051, 2017.011.30066, 2017.011.30068, 2017.011.30070, 2017.011.30078, 2017.011.30096, 2017.011.30102, 2017.011.30105, 2017.011.30120, 2017.011.30127, 2017.011.30148, 2017.011.30150, 2017.011.30152, 2017.011.30156, 2017.011.30158, 2017.011.30166, 2017.011.30171, 2017.011.30175, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

Adobe Acrobat Reader: 2017.011.30156, 2017.011.30158, 2017.011.30171, 2017.011.30180, 2017.011.30188, 2017.011.30190, 2017.011.30194, 2017.011.30196, 2017.011.30197

CPE External links

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###