Vulnerability-Lookup

CNVD-2021-30424

Vulnerability from cnvd - Published: 2021-04-24

Title

多款Adobe产品安全功能绕过漏洞

Description

Adobe Acrobat等都是美国奥多比（Adobe）公司的产品。Adobe Acrobat是一套PDF文件编辑和转换工具。Reader是一套PDF文档阅读软件。Adobe Acrobat Reader是一款PDF查看器。多款Adobe产品存在安全漏洞。未经身份认证的攻击者可利用该漏洞在认证的PDF中显示任意内容且认证不会失效。

Severity

中

Patch Name

多款Adobe产品安全功能绕过漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://helpx.adobe.com/security/products/acrobat/apsb21-09.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-28546

Impacted products

Name
['Adobe Acrobat DC（Continuous） <=2020.013.20074', 'Adobe Acrobat Reader DC（Continuous） <=2020.013.20074', 'Adobe Acrobat 2020 (Classic 2020) <=2020.001.30018', 'Adobe Acrobat Reader 2020 (Classic 2020) <=2020.001.30018', 'Adobe Acrobat 2017（Classic 2017） <=2017.011.30188', 'Adobe Acrobat Reader 2017（Classic 2017） <=2017.011.30188']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-28546",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-28546"
    }
  },
  "description": "Adobe Acrobat\u7b49\u90fd\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Adobe Acrobat\u662f\u4e00\u5957PDF\u6587\u4ef6\u7f16\u8f91\u548c\u8f6c\u6362\u5de5\u5177\u3002Reader\u662f\u4e00\u5957PDF\u6587\u6863\u9605\u8bfb\u8f6f\u4ef6\u3002Adobe Acrobat Reader\u662f\u4e00\u6b3ePDF\u67e5\u770b\u5668\u3002\n\n\u591a\u6b3eAdobe\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u672a\u7ecf\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u8ba4\u8bc1\u7684PDF\u4e2d\u663e\u793a\u4efb\u610f\u5185\u5bb9\u4e14\u8ba4\u8bc1\u4e0d\u4f1a\u5931\u6548\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://helpx.adobe.com/security/products/acrobat/apsb21-09.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-30424",
  "openTime": "2021-04-24",
  "patchDescription": "Adobe Acrobat\u7b49\u90fd\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Adobe Acrobat\u662f\u4e00\u5957PDF\u6587\u4ef6\u7f16\u8f91\u548c\u8f6c\u6362\u5de5\u5177\u3002Reader\u662f\u4e00\u5957PDF\u6587\u6863\u9605\u8bfb\u8f6f\u4ef6\u3002Adobe Acrobat Reader\u662f\u4e00\u6b3ePDF\u67e5\u770b\u5668\u3002\r\n\r\n\u591a\u6b3eAdobe\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u672a\u7ecf\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u8ba4\u8bc1\u7684PDF\u4e2d\u663e\u793a\u4efb\u610f\u5185\u5bb9\u4e14\u8ba4\u8bc1\u4e0d\u4f1a\u5931\u6548\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eAdobe\u4ea7\u54c1\u5b89\u5168\u529f\u80fd\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Adobe Acrobat DC\uff08Continuous\uff09 \u003c=2020.013.20074",
      "Adobe Acrobat Reader DC\uff08Continuous\uff09 \u003c=2020.013.20074",
      "Adobe Acrobat 2020 (Classic 2020) \u003c=2020.001.30018",
      "Adobe Acrobat Reader 2020 (Classic 2020) \u003c=2020.001.30018",
      "Adobe Acrobat 2017\uff08Classic 2017\uff09 \u003c=2017.011.30188",
      "Adobe Acrobat Reader 2017\uff08Classic 2017\uff09 \u003c=2017.011.30188"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-28546",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-02",
  "title": "\u591a\u6b3eAdobe\u4ea7\u54c1\u5b89\u5168\u529f\u80fd\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2021-28546 (GCVE-0-2021-28546)

Vulnerability from cvelistv5 – Published: 2021-04-01 13:35 – Updated: 2024-09-16 23:10

Title

Acrobat Reader DC Missing Support for Integrity Check

Summary

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check. An unauthenticated attacker could leverage this vulnerability to modify content in a certified PDF without invalidating the certification. Exploitation of this issue requires user interaction in that a victim must open the tampered file.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-353 - Missing Support for Integrity Check (CWE-353)

Assigner

adobe

References

1 reference

URL	Tags
https://helpx.adobe.com/security/products/acrobat…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Adobe	Acrobat Reader	Affected: unspecified , ≤ 2020.013.20074 (custom) Affected: unspecified , ≤ 2020.001.30018 (custom) Affected: unspecified , ≤ 2017.011.30188 (custom) Affected: unspecified , ≤ None (custom)

Date Public

2021-02-09 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:32.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/acrobat/apsb21-09.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Acrobat Reader",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2020.013.20074",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2020.001.30018",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2017.011.30188",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "None",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-02-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check. An unauthenticated attacker could leverage this vulnerability to modify content in a certified PDF without invalidating the certification. Exploitation of this issue requires user interaction in that a victim must open the tampered file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-353",
              "description": "Missing Support for Integrity Check (CWE-353)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-01T13:35:46.000Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://helpx.adobe.com/security/products/acrobat/apsb21-09.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Acrobat Reader DC Missing Support for Integrity Check",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
          "ID": "CVE-2021-28546",
          "STATE": "PUBLIC",
          "TITLE": "Acrobat Reader DC Missing Support for Integrity Check"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Acrobat Reader",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020.013.20074"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020.001.30018"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2017.011.30188"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check. An unauthenticated attacker could leverage this vulnerability to modify content in a certified PDF without invalidating the certification. Exploitation of this issue requires user interaction in that a victim must open the tampered file."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "availabilityImpact": "None",
            "baseScore": 6.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "userInteraction": "Required",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Support for Integrity Check (CWE-353)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/acrobat/apsb21-09.html",
              "refsource": "MISC",
              "url": "https://helpx.adobe.com/security/products/acrobat/apsb21-09.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2021-28546",
    "datePublished": "2021-04-01T13:35:46.332Z",
    "dateReserved": "2021-03-16T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:10:26.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-30424

CVE-2021-28546 (GCVE-0-2021-28546)

Tags

Sightings

Nomenclature