A vulnerability classified as problematic was found in Adobe Acrobat Reader up to 2019.010.20100 (Document Reader Software). Affected by this vulnerability is an unknown function. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality.

The bug was discovered 05/14/2019. The weakness was published 05/14/2019 as APSB19-18 as confirmed security bulletin (Website). The advisory is shared at helpx.adobe.com. This vulnerability is known as CVE-2019-7145 since 01/28/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 371777 (Adobe Reader and Acrobat Multiple Vulnerabilities (APSB19-18)).

Upgrading to version 2015.006.30497, 2017.011.30142 or 2019.012.20034 eliminates this vulnerability. The upgrade is hosted for download at get.adobe.com. A possible mitigation has been published immediately after the disclosure of the vulnerability. The security bulletin contains the following remark:

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.

Additional details are provided at blog.talosintelligence.com.

Productinfo

Type

• Document Reader Software

Vendor

• Adobe

Name

• Acrobat Reader

Version

• 2015.006.30493
• 2015.006.30495
• 2017.011.30138
• 2017.011.30140
• 2019.010
• 2019.010.20099

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion