Adobe fixed multiple critical flaws in Acrobat and Reader
May 15, 2024
Adobe addressed multiple code execution vulnerabilities in several products, including Adobe Acrobat and Reader.
Adobe addressed multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software
The software giant released its Patch Tuesday updates to fix 35 security vulnerabilities 12 of these issues impact Adobe Acrobat and Reader software.
The arbitrary code execution issues fixed by the company includes Use After Free, Improper Input Validation, and Improper Access Control.
Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30284 |
Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30310 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34094 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34095 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34096 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34097 |
Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34098 |
Improper Access Control (CWE-284) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34099 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34100 |
Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30311 |
Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30312 |
Out-of-bounds Read (CWE-125) | Memory leak | Moderate | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2024-34101 |
The vulnerabilities were reported by the following experts and research team:
- Mark Vincent Yason (markyason.github.io) working with Trend Micro Zero Day Initiative – CVE-2024-30284, CVE-2024-34094, CVE-2024-34095, CVE-2024-34096, CVE-2024-34097
- Cisco Talos (ciscotalos) – CVE-2024-30311, CVE-2024-30312
- Bobby Gould of Trend Micro Zero Day Initiative – CVE-2024-30310, CVE-2024-34101
- AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa) – CVE-2024-34098, CVE-2024-34099
- Suyue Guo and Wei You from Renmin University of China (ruc_se_sec) – CVE-2024-34100
Adobe PSIRT is not aware of attacks in the wild exploiting the above vulnerabilities.
The vulnerabilities impact versions: 24.002.20736 and earlier, and 20.005.30574 and earlier for Windows and macOS operating systems.
Adobe also fixed issues in Adobe Illustrator (APSB24-30), Adobe Aero (APSB24-33), Adobe Dreamweaver (APSB24-39), Adobe Substance 3D Painter (APSB24-31), Adobe Substance 3D Designer (APSB24-35), Adobe Animate (APSB24-36), Adobe FrameMaker (APSB24-37).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Acrobat)