CVE-2020-24433

05.11.2020, 20:15

Adobe Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a local privilege escalation vulnerability that could enable a user without administrator privileges to delete arbitrary files and potentially execute arbitrary code as SYSTEM. Exploitation of this issue requires an attacker to socially engineer a victim, or the attacker must already have some access to the environment.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
adobe	CNA	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 79%

Vendor	Product	Version
adobe	acrobat	𝑥 ≤ 20.001.30005
adobe	acrobat_dc	𝑥 ≤ 17.011.30175
adobe	acrobat_dc	𝑥 ≤ 20.012.20048
adobe	acrobat_reader	𝑥 ≤ 20.001.30005
adobe	acrobat_reader_dc	𝑥 ≤ 17.011.30175
adobe	acrobat_reader_dc	𝑥 ≤ 20.012.20048

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://helpx.adobe.com/security/products/acrobat/apsb20-67.html