SecuriTricks - CVE-2024-45112

Description

Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Product(s) Impacted

Vendor	Product	Versions
Adobe	Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc	* * * *
Apple	Macos	*
Microsoft	Windows	*

Weaknesses

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

*CPE(s)

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	adobe	acrobat	/	/	/	/	classic	/	/	/
a	adobe	acrobat	/	/	/	/	classic	/	/	/
a	adobe	acrobat_dc	/	/	/	/	continuous	/	/	/
a	adobe	acrobat_reader	/	/	/	/	classic	/	/	/
a	adobe	acrobat_reader_dc	/	/	/	/	continuous	/	/	/
o	apple	macos	/	/	/	/	/	/	/	/
o	microsoft	windows	/	/	/	/	/	/	/	/

References

https://helpx.adobe.com/security/products/acrobat/apsb24-70.html

CVSS Score

7.8 / 10

CVSS Data

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

View Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Date

Published: Sept. 13, 2024, 9:15 a.m.
Last Modified: Sept. 19, 2024, 2:56 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@adobe.com

CVE-2024-45112