Request a Demo
Rewterz
Rewterz Threat Advisory –CVE-2021-22000 – VMware ThinApp DLL hijacking Vulnerability
July 14, 2021
Rewterz
Rewterz Threat Advisory – CVE-2021-22928 – Citrix Virtual Apps and Desktops Vulnerability
July 14, 2021

Rewterz Threat Advisory – Multiple Adobe Security Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-35983:CVE-2021-35981:CVE-2021-28639:2021-28640:2021-28641CVE-2021-28635

Adobe Acrobat and Adobe Reader could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-35980:CVE-2021-28644

Adobe Acrobat and Adobe Reader could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing directory traversal sequences to read arbitrary files on the system.

CVE-2021-28643:CVE-2021-35986

Adobe Acrobat and Adobe Reader could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion error. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-35988:CVE-2021-35987:CVE-2021-28637

Adobe Acrobat and Adobe Reader could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVE-2021-28642

Adobe Acrobat and Adobe Reader could allow a remote attacker to execute arbitrary code on the system, caused by out-of-bounds write errors. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-28638

Adobe Acrobat and Adobe Reader are vulnerable to a heap-based buffer overflow. By persuading a victim to open a specially crafted document, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVE-2021-35985:CVE-2021-35984

Adobe Acrobat and Adobe Reader are vulnerable to a denial of service, caused by a NULL pointer dereference error. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.

CVE-2021-28636

Adobe Acrobat and Adobe Reader could allow a remote attacker to gain elevated privileges on the system, caused by an uncontrolled search path element flaw. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

CVE-2021-28634

Adobe Acrobat and Adobe Reader could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection flaw. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary commands on the system with the privileges of the victim or cause the application to crash.

CVE-2021-35990:CVE-2021-35989

Adobe Bridge could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

CVE-2021-28624

Adobe Bridge is vulnerable to a heap-based buffer overflow. By persuading a victim to open a specially crafted document, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVE-2021-35992

Adobe Bridge could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVE-2021-35991

Adobe Bridge could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of input. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

Impact

  • Unauthorized access
  • Denial of services
  • Code execution
  • Memory corruption

Affected Vendors

Adobe

Affected Products

  • Adobe Acrobat 2017 2017.011.30197
  • Adobe Acrobat Reader 2017 2017.011.30197
  • Adobe Acrobat 2020 2020.004.30005
  • Adobe Acrobat Reader 2020 2020.004.30005
  • Adobe Bridge 11.0.2

Remediation

For Adobe Acrobat and Adobe Reader refer to advisory or suggested workaround information.

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html

For Adobe Bridge refers to advisory or suggested workaround information.

https://helpx.adobe.com/security/products/bridge/apsb21-53.html