The version of Adobe Acrobat installed on the remote Windows host is a version prior to 17.012.30227, 20.005.30331, or 22.001.20112. It is, therefore, affected by multiple vulnerabilities.

  - Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory.
    An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this     issue requires user interaction in that a victim must open a malicious file. (CVE-2022-24101)

  - Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in     the context of the current user. Exploitation of this issue requires user interaction in that a victim     must open a malicious file. (CVE-2022-24102, CVE-2022-24103, CVE-2022-24104)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability in the processing of fonts that could result in     arbitrary code execution in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-27785, CVE-2022-27786, CVE-2022-27790)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code     execution in the context of the current user. Exploitation of this issue requires user interaction in that     a victim must open a malicious file. (CVE-2022-27787, CVE-2022-27788, CVE-2022-27792, CVE-2022-27793,     CVE-2022-27798, CVE-2022-28236)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability in the processing of the acroform event that could     result in arbitrary code execution in the context of the current user. Exploitation of this issue requires     user interaction in that a victim must open a malicious file. (CVE-2022-27789, CVE-2022-27795,     CVE-2022-27796, CVE-2022-27799, CVE-2022-28230, CVE-2022-28235)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) is affected by a stack-based buffer overflow vulnerability due to insecure processing of a font,     potentially resulting in arbitrary code execution in the context of the current user. Exploitation     requires user interaction in that a victim must open a crafted .pdf file (CVE-2022-27791)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) is affected by the use of a variable that has not been initialized when processing of embedded     fonts, potentially resulting in arbitrary code execution in the context of the current user. Exploitation     requires user interaction in that a victim must open a crafted .pdf file (CVE-2022-27794)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability in the processing of annotations that could result     in arbitrary code execution in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-27797, CVE-2022-27800, CVE-2022-27801,     CVE-2022-27802, CVE-2022-28233, CVE-2022-28237, CVE-2022-28238)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) is affected by an out-of-bounds read vulnerability when processing a doc object, which could     result in a read past the end of an allocated memory structure. An attacker could leverage this     vulnerability to execute code in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-28231)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability in the processing of the collab object that could     result in arbitrary code execution in the context of the current user. Exploitation of this issue requires     user interaction in that a victim must open a malicious file. (CVE-2022-28232)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) is affected by a heap-based buffer overflow vulnerability due to insecure handling of a crafted     .pdf file, potentially resulting in arbitrary code execution in the context of the current user.
    Exploitation requires user interaction in that a victim must open a crafted .pdf file (CVE-2022-28234)

  - Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could     result in a read past the end of an allocated memory structure. An attacker could leverage this     vulnerability to execute code in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-28239, CVE-2022-28241, CVE-2022-28243)

  - Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in     the context of the current user. Exploitation of this issue requires user interaction in that a victim     must open a malicious file. (CVE-2022-28240, CVE-2022-28242)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) is affected by a violation of secure design principles through bypassing the content security     policy, which could result in an attacker sending arbitrarily configured requests to the cross-origin     attack target domain. Exploitation requires user interaction in which the victim needs to access a crafted     PDF file on an attacker's server. (CVE-2022-28244)

  - Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could     result in a read past the end of an allocated memory structure. An attacker could leverage this     vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in     that a victim must open a malicious file. (CVE-2022-28245, CVE-2022-28246, CVE-2022-28248, CVE-2022-28249,     CVE-2022-28251, CVE-2022-28252, CVE-2022-28253, CVE-2022-28254, CVE-2022-28255, CVE-2022-28257,     CVE-2022-28258, CVE-2022-28259, CVE-2022-28260, CVE-2022-28261, CVE-2022-28262, CVE-2022-28263,     CVE-2022-28264, CVE-2022-28265, CVE-2022-28266, CVE-2022-28267)

  - Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by an uncontrolled search path vulnerability that could lead to local privilege     escalation. Exploitation of this issue requires user interaction in that a victim must run the uninstaller     with Admin privileges. (CVE-2022-28247)

  - Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory.
    An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this     issue requires user interaction in that a victim must open a malicious file. (CVE-2022-28250,     CVE-2022-28256)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive     memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of     this issue requires user interaction in that a victim must open a malicious file. (CVE-2022-28268)

  - Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and     earlier) are affected by a use-after-free vulnerability in the processing of Annotation objects that could     result in a memory leak in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-28269)

  - Acrobat Pro DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and     earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory.
    An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this     issue requires user interaction in that a victim must open a malicious file. (CVE-2022-28837)

  - Acrobat Acrobat Pro DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x     (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution     in the context of the current user. Exploitation of this issue requires user interaction in that a victim     must open a malicious file. (CVE-2022-28838)

  - Adobe Acrobat Reader version 22.001.20085 (and earlier), 20.005.30314 (and earlier) and 17.012.30205 (and     earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could     result in a read past the end of an allocated memory structure. An attacker could leverage this     vulnerability to execute code in the context of the current user. Exploitation of this issue requires user     interaction in that a victim must open a malicious file. (CVE-2022-35672)

  - Out-of-bounds Write (CWE-787) potentially leading to Arbitrary code execution (CVE-2022-44512,     CVE-2022-44513)

  - Use After Free (CWE-416) potentially leading to Arbitrary code execution (CVE-2022-44514, CVE-2022-44518,     CVE-2022-44520)

  - Out-of-bounds Read (CWE-125) potentially leading to Memory leak (CVE-2022-44515, CVE-2022-44516,     CVE-2022-44517)

  - Use After Free (CWE-416) potentially leading to Memory leak (CVE-2022-44519)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Adobe Acrobat < 17.012.30227 / 20.005.30331 / 22.001.20112 Multiple Vulnerabilities (APSB22-16)

high Nessus Plugin ID 159656

Version 1.8

Version 1.7

Version 1.6

Version 1.8 Feb 6, 2024, 4:21 PM CVSSv3 score source (set to "CVE-2022-35672") Plugin Feed: 202402061621
Version 1.7 Feb 5, 2024, 6:20 PM Detection Plugin Feed: 202402051820
Version 1.6 Nov 2, 2023, 2:21 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv2 score source (changed from "CVE-2022-24092" to "CVE-2022-28838") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202311021421