Multiple vulnerabilities in Adobe Acrobat and Reader



Published: 2021-07-13 | Updated: 2021-10-13
Risk High
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2021-35988
CVE-2021-28638
CVE-2021-28635
CVE-2021-35981
CVE-2021-35983
CVE-2021-28634
CVE-2021-28636
CVE-2021-35984
CVE-2021-35985
CVE-2021-35986
CVE-2021-35987
CVE-2021-28637
CVE-2021-28642
CVE-2021-28639
CVE-2021-28641
CVE-2021-28643
CVE-2021-28640
CVE-2021-28644
CVE-2021-35980
CWE-ID CWE-125
CWE-122
CWE-416
CWE-78
CWE-427
CWE-476
CWE-843
CWE-787
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Adobe Acrobat
Client/Desktop applications / Office applications

Adobe Reader
Client/Desktop applications / Office applications

Vendor Adobe

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU54687

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35988

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Heap-based buffer overflow

EUVDB-ID: #VU54708

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28638

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a heap-based buffer overflow and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Use-after-free

EUVDB-ID: #VU54696

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28635

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU54695

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-35981

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU54694

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-35983

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Command injection

EUVDB-ID: #VU54714

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-28634

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation. A local user can execute arbitrary OS commands and escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Insecure DLL loading

EUVDB-ID: #VU54713

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28636

CWE-ID: CWE-427 - Uncontrolled Search Path Element

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) NULL pointer dereference

EUVDB-ID: #VU54711

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35984

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) NULL pointer dereference

EUVDB-ID: #VU54710

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35985

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Type confusion

EUVDB-ID: #VU54698

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-35986

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition within the getAnnots method when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html
http://www.zerodayinitiative.com/advisories/ZDI-21-1145/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Out-of-bounds read

EUVDB-ID: #VU54688

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35987

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Out-of-bounds read

EUVDB-ID: #VU54707

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-28637

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Out-of-bounds write

EUVDB-ID: #VU54706

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28642

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger an Out-of-bounds write error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Use-after-free

EUVDB-ID: #VU54693

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28639

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Use-after-free

EUVDB-ID: #VU54692

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28641

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Type confusion

EUVDB-ID: #VU54697

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28643

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Use-after-free

EUVDB-ID: #VU54691

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28640

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Path traversal

EUVDB-ID: #VU54690

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-28644

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Path traversal

EUVDB-ID: #VU54689

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35980

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Acrobat: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.008.30051 - 2017.011.30197

Adobe Reader: 2021.001.20135 - 2021.005.20148, 2020.001.30020 - 2020.013.20074, 2017.011.30156 - 2017.011.30197


CPE2.3 External links

http://helpx.adobe.com/security/products/acrobat/apsb21-51.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###