CVE-2018-4967
published 2018-07-09CVE-2018-4967: Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read…
PriorityP341high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
12.27%
95.7th percentile
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat_dc | >= 15.006.30417 < 15.006.30418 | 15.006.30418 |
| adobe | acrobat_dc | >= 17.011.30079 < 17.011.30080 | 17.011.30080 |
| adobe | acrobat_dc | >= 18.011.20038 < 18.011.20040 | 18.011.20040 |
| adobe | acrobat_reader_dc | >= 15.006.30417 < 15.006.30418 | 15.006.30418 |
| adobe | acrobat_reader_dc | >= 17.011.30079 < 17.011.30080 | 17.011.30080 |
| adobe | acrobat_reader_dc | >= 18.011.20038 < 18.011.20040 | 18.011.20040 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-47w6-hx3r-xcc6: Adobe Acrobat and Reader versions 2018
ghsa_unreviewed·2022-05-14
CVE-2018-4967 [HIGH] CWE-125 GHSA-47w6-hx3r-xcc6: Adobe Acrobat and Reader versions 2018
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
Red Hat
okhttp: certificate pinning bypass
vendor_redhat·2019-04-19·CVSS 5.9
CVE-2018-20200 [MEDIUM] CWE-300 okhttp: certificate pinning bypass
okhttp: certificate pinning bypass
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967
Statement: OkHttp is used by OpenShift Container Platform in the Aggregated Logging stack. This issue is not considered a vulnerability for OpenShift Container Platform as the prerequisite for exploitation is the ability to inject code into the application.
Package: okhttp (Red Hat Decision Manager 7) - Not affected
Package: okhttp (Red Hat Fuse 7) - Not affected
Package: okhttp (Red Hat OpenShift A
No detection rules found.
No public exploits indexed.
Zscaler
Zscaler protects against 38 new vulnerabilities for Adobe Fl
blogs_zscaler
Zscaler protects against 38 new vulnerabilities for Adobe Fl
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2018-20200 okhttp: certificate pinning bypass
bugzilla·2019-05-13·CVSS 5.9
CVE-2018-20200 [MEDIUM] CVE-2018-20200 okhttp: certificate pinning bypass
CVE-2018-20200 okhttp: certificate pinning bypass
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.
Upstream issue:
https://github.com/square/okhttp/issues/4967
References:
https://cxsecurity.com/issue/WLB-2018120252
https://github.com/square/okhttp/commits/master
https://github.com/square/okhttp/releases
https://square.github.io/okhttp/3.x/okhttp/
Discussion:
Created okhttp tracking bugs for this issue:
Affects: fedora-all [bug 1709380]
---
Statement:
OkHttp is used by OpenShift Container Platform in the Aggregated Logging stack. This issue is not considered a vulnerability for OpenShift Container Platform as the prerequisite for exploi
2018-07-09
Published