CVE-2017-16368

09.12.2017, 06:29

An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. This vulnerability leads to a stack-based buffer overflow condition in the internal Unicode string manipulation module. It is triggered by an invalid PDF file, where a crafted Unicode string causes an out of bounds memory access of a stack allocated buffer, due to improper checks when manipulating an offset of a pointer to the buffer. Attackers can exploit the vulnerability and achieve arbitrary code execution if they can effectively control the accessible memory.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
adobe	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Vendor	Product	Version
adobe	acrobat	𝑥 ≤ 11.0.22
adobe	acrobat	17.0 ≤ 𝑥 ≤ 17.011.30066
adobe	acrobat_dc	𝑥 ≤ 17.012.20098
adobe	acrobat_dc	15.0 ≤ 𝑥 ≤ 15.006.30355
adobe	acrobat_reader	𝑥 ≤ 11.0.22
adobe	acrobat_reader	17.0 ≤ 𝑥 ≤ 17.011.30066
adobe	acrobat_reader_dc	𝑥 ≤ 17.012.20098
adobe	acrobat_reader_dc	15.0 ≤ 𝑥 ≤ 15.006.30355

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://www.securityfocus.com/bid/101816

http://www.securitytracker.com/id/1039791

https://helpx.adobe.com/security/products/acrobat/apsb17-36.html

http://www.securityfocus.com/bid/101816

http://www.securitytracker.com/id/1039791

https://helpx.adobe.com/security/products/acrobat/apsb17-36.html