The version of Adobe Reader installed on the remote Windows host is a version prior to 2017.011.30196, 2020.001.30025, or 2021.001.20155. It is, therefore, affected by multiple vulnerabilities.

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated     attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the     current user. Exploitation of this issue requires user interaction in that a victim must open a malicious     file. (CVE-2021-28561)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability. An     unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the     context of the current user. Exploitation of this issue requires user interaction in that a victim must     open a malicious file. (CVE-2021-28560)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Heap-based buffer overflow vulnerability in the PDFLibTool     component. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code     execution in the context of the current user. Exploitation of this issue requires user interaction in that     a victim must open a malicious file. (CVE-2021-28558)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Out-of-bounds Read vulnerability. An unauthenticated     attacker could leverage this vulnerability to leak sensitive system information in the context of the     current user. Exploitation of this issue requires user interaction in that a victim must open a malicious     file. (CVE-2021-28557)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Out-of-bounds Read vulnerability. An unauthenticated     attacker could leverage this vulnerability to get access to sensitive information in the context of the     current user. Exploitation of this issue requires user interaction in that a victim must open a malicious     file. (CVE-2021-28555)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Out-of-bounds Read vulnerability in the PDFLibTool     component. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code     execution in the context of the current user. Exploitation of this issue requires user interaction in that     a victim must open a malicious file. (CVE-2021-28565)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Out-of-bounds Write vulnerability within the ImageTool     component. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code     execution in the context of the current user. Exploitation of this issue requires user interaction in that     a victim must open a malicious file. (CVE-2021-28564)

  - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and     2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted     jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code     execution in the context of the current user. Exploitation of this issue requires user interaction in that     a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Information Exposure vulnerability. An unauthenticated     attacker could leverage this vulnerability to get access to restricted data stored within global variables     and objects. (CVE-2021-28559)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by a Use After Free vulnerability when executing search queries     through Javascript. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary     code execution in the context of the current user. Exploitation of this issue requires user interaction in     that a victim must open a malicious file. (CVE-2021-28562)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker     could leverage this vulnerability to achieve arbitrary code execution in the context of the current user.
    Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-28550)

  - Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and     2017.011.30194 (and earlier) are affected by an Use After Free vulnerability. An unauthenticated attacker     could leverage this vulnerability to achieve arbitrary code execution in the context of the current user.
    Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-28553)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Adobe Reader < 2017.011.30196 / 2020.001.30025 / 2021.001.20155 Multiple Vulnerabilities (APSB21-29)

high Nessus Plugin ID 149379

Version 1.16

Version 1.15

Version 1.13

Version 1.12

Version 1.16 Oct 22, 2024, 8:01 AM Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202410220801
Version 1.15 Oct 21, 2024, 7:12 PM CVE (set "CVE" coverage to "CVE-2021-21038,CVE-2021-21044,CVE-2021-28550,CVE-2021-28553,CVE-2021-28555,CVE-2021-28557,CVE-2021-28558,CVE-2021-28559,CVE-2021-28560,CVE-2021-28561,CVE-2021-28562,CVE-2021-28564,CVE-2021-28565") CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Exploit attributes ("Exploited by malware" changed from "True" to none) Plugin metadata Plugin Feed: 202410211912
Version 1.13 Jan 2, 2024, 2:43 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202401021443
Version 1.12 Apr 25, 2023, 11:11 PM CVSS temporal metrics (Adjust exploitability metrics for CISA KEV vulnerabilities) Plugin Feed: 202304252311