Multiple vulnerabilities in Adobe Acrobat and Reader
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 19 |
| CVE-ID | CVE-2021-35988 CVE-2021-28638 CVE-2021-28635 CVE-2021-35981 CVE-2021-35983 CVE-2021-28634 CVE-2021-28636 CVE-2021-35984 CVE-2021-35985 CVE-2021-35986 CVE-2021-35987 CVE-2021-28637 CVE-2021-28642 CVE-2021-28639 CVE-2021-28641 CVE-2021-28643 CVE-2021-28640 CVE-2021-28644 CVE-2021-35980 |
| CWE-ID | CWE-125 CWE-122 CWE-416 CWE-78 CWE-427 CWE-476 CWE-843 CWE-787 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Adobe Acrobat Client/Desktop applications / Office applications Adobe Reader Client/Desktop applications / Office applications |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU54687
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-35988
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
2) Heap-based buffer overflow
EUVDB-ID: #VU54708
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28638
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a heap-based buffer overflow and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
3) Use-after-free
EUVDB-ID: #VU54696
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28635
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
4) Use-after-free
EUVDB-ID: #VU54695
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-35981
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
5) Use-after-free
EUVDB-ID: #VU54694
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-35983
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
6) Command injection
EUVDB-ID: #VU54714
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-28634
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation. A local user can execute arbitrary OS commands and escalate privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
7) Insecure DLL loading
EUVDB-ID: #VU54713
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28636
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
8) NULL pointer dereference
EUVDB-ID: #VU54711
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-35984
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
9) NULL pointer dereference
EUVDB-ID: #VU54710
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-35985
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
10) Type confusion
EUVDB-ID: #VU54698
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-35986
CWE-ID:
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition within the getAnnots method when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
http://www.zerodayinitiative.com/advisories/ZDI-21-1145/
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
11) Out-of-bounds read
EUVDB-ID: #VU54688
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-35987
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
12) Out-of-bounds read
EUVDB-ID: #VU54707
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-28637
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
13) Out-of-bounds write
EUVDB-ID: #VU54706
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28642
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger an Out-of-bounds write error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
14) Use-after-free
EUVDB-ID: #VU54693
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28639
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
15) Use-after-free
EUVDB-ID: #VU54692
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28641
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
16) Type confusion
EUVDB-ID: #VU54697
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28643
CWE-ID:
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
17) Use-after-free
EUVDB-ID: #VU54691
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-28640
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
18) Path traversal
EUVDB-ID: #VU54690
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-28644
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
19) Path traversal
EUVDB-ID: #VU54689
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-35980
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Acrobat: 20.001.30020 - 20.013.20074, 17.008.30051 - 17.011.30197
Adobe Reader: 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197
CPE2.3 External links
http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
