Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-1492 — Out-of-bounds Write in Adobe Acrobat

CWE-39910 documents7 sources

Severity

9.3CRITICALNVD

EPSS

68.1%

top 1.40%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Adobe Acrobat Adobe Acrobat Reader

Timeline

PublishedApr 30

Latest updateMay 2

Description

The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶NVDadobe/acrobat_reader7.0 — 7.1.1+2

▶NVDadobe/acrobat7.0 — 7.1.1+2

🔴Vulnerability Details

GHSA

GHSA-mvqm-4f92-4qqc: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9↗2022-05-02

▶

VulnCheck

Adobe Reader and Acrobat getAnnots Doc Method Vulnerability↗2009

▶

💥Exploits & PoCs

Exploit-DB

Adobe Reader 8.1.4/9.1 - 'GetAnnots()' Remote Code Execution↗2009-04-29

▶

📋Vendor Advisories

Red Hat

acroread: multiple vulnerabilities in Adobe Reader 8.1.4↗2009-04-27

▶

🕵️Threat Intelligence

Talos

The Acrobat JavaScript Blocklist Framework↗2010-01-20

▶

Talos

The Acrobat JavaScript Blocklist Framework↗2010-01-20

▶

Talos

Rule release for today - May 5th 2009↗2009-05-05

▶

Talos

Rule release for today - May 5th 2009↗2009-05-05

▶

💬Community

Bugzilla

CVE-2009-1492, CVE-2009-1493 acroread: multiple vulnerabilities in Adobe Reader 8.1.4↗2009-04-29

▶