{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-095.pdf"
    },
    "title": "Critical vulnerabilities in Adobe Products",
    "serial_number": "2024-095",
    "publish_date": "12-09-2024 14:57:13",
    "description": "On September 10, 2024, Adobe released a security bulletin addressing two critical vulnerabilities affecting its Acrobat products. When exploited, these vulnerabilities could allow an attacker to execute arbitrary code.<br>\nA publicly available proof-of-concept exploit exists for one of the vulnerabilities.<br>\n",
    "url_title": "2024-095",
    "content_markdown": "---    \ntitle: 'Critical vulnerabilities in\u00a0Adobe\u00a0Products'\nnumber: '2024-095'\nversion: '1.0'\noriginal_date: '2024-09-10'\ndate: '2024-09-12'\n---\n\n_History:_\n\n* _12/09/2024 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nOn September 10, 2024, Adobe released a security bulletin addressing two critical vulnerabilities affecting its Acrobat products. When exploited, these vulnerabilities could allow an attacker to execute arbitrary code [1].\n\nA publicly available proof-of-concept exploit exists for one of the vulnerabilities [2].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-41869**, with a CVSS score of 7.8, is a use after free flaw that could lead to remote code execution when opening a specially crafted PDF document. A proof-of-concept exploit exists for this vulnerability.\n\nThe vulnerability **CVE-2024-45112**, with a CVSS score of 8.6, is a type confusion vulnerability that could lead to remote code execution.\n\n# Affected Products\n\nThe following products are affected:\n\n- Acrobat DC and Acrobat Reader DC for Windows versions 24.003.20054 and earlier.\n- Acrobat DC and Acrobat Reader DC for MacOS versions 24.002.21005 and earlier.\n- Acrobat 2024 for Windows and MacOS versions 24.001.30159 and earlier.\n- Acrobat 2020 and Acrobat Reader 2020 for Windows and MacOS versions 20.005.30655 and earlier.\n\n# Recommendations\n\nCERT-EU strongly recommends updating affected products to a fixed version [2]. \n\n# References\n\n[1] <https://helpx.adobe.com/security/products/acrobat/apsb24-70.html>\n\n[2] <https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/09/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On September 10, 2024, Adobe released a security bulletin addressing two critical vulnerabilities affecting its Acrobat products. When exploited, these vulnerabilities could allow an attacker to execute arbitrary code [1].</p><p>A publicly available proof-of-concept exploit exists for one of the vulnerabilities [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-41869</strong>, with a CVSS score of 7.8, is a use after free flaw that could lead to remote code execution when opening a specially crafted PDF document. A proof-of-concept exploit exists for this vulnerability.</p><p>The vulnerability <strong>CVE-2024-45112</strong>, with a CVSS score of 8.6, is a type confusion vulnerability that could lead to remote code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following products are affected:</p><ul><li>Acrobat DC and Acrobat Reader DC for Windows versions 24.003.20054 and earlier.</li><li>Acrobat DC and Acrobat Reader DC for MacOS versions 24.002.21005 and earlier.</li><li>Acrobat 2024 for Windows and MacOS versions 24.001.30159 and earlier.</li><li>Acrobat 2020 and Acrobat Reader 2020 for Windows and MacOS versions 20.005.30655 and earlier.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends updating affected products to a fixed version [2]. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpx.adobe.com/security/products/acrobat/apsb24-70.html\">https://helpx.adobe.com/security/products/acrobat/apsb24-70.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/\">https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}