CVE-2021-40730

15.10.2021, 15:15

Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a use-after-free that allow a remote attacker to disclose sensitive information on affected installations of of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPG2000 images.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.3 LOW	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
adobe	CNA	3.3 LOW	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Vendor	Product	Version
adobe	acrobat_dc	15.008.20082 ≤ 𝑥 ≤ 21.007.20095
adobe	acrobat_reader_dc	15.008.20082 ≤ 𝑥 ≤ 21.007.20095
adobe	acrobat_dc	15.008.20082 ≤ 𝑥 ≤ 21.007.20096
adobe	acrobat_reader_dc	15.008.20082 ≤ 𝑥 ≤ 21.007.20096
adobe	acrobat	20.001.30005 ≤ 𝑥 ≤ 20.004.30015
adobe	acrobat_reader	20.001.30005 ≤ 𝑥 ≤ 20.004.30015
adobe	acrobat	17.011.30158 ≤ 𝑥 ≤ 17.011.30202
adobe	acrobat_reader	17.011.30158 ≤ 𝑥 ≤ 17.011.30202

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://helpx.adobe.com/security/products/acrobat/apsb21-104.html