CVE-2020-29075 — Improper Input Validation in Adobe Acrobat Reader DC

CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

6.5MEDIUMNVD

CNA7.1

EPSS

1.2%

top 20.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Acrobat Reader DC Adobe Acrobat Adobe Acrobat DC +1 more

Timeline

PublishedFeb 23

Latest updateMay 24

Description

Acrobat Reader DC versions 2020.013.20066 (and earlier), 2020.001.30010 (and earlier) and 2017.011.30180 (and earlier) are affected by an information exposure vulnerability, that could enable an attacker to get a DNS interaction and track if the user has opened or closed a PDF file when loaded from the filesystem without a prompt. User interaction is required to exploit this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDadobe/acrobat_reader17.011.30059 — 17.011.30180+1

▶CVEListV5adobe/acrobat_reader_dc2020.013.20066+2

▶NVDadobe/acrobat_reader_dc15.008.20082 — 20.013.20066

▶NVDadobe/acrobat17.011.30059 — 17.011.30180+1

▶NVDadobe/acrobat_dc15.008.20082 — 20.013.20066

🔴Vulnerability Details

GHSA

GHSA-j86v-4vf3-rfmv: Acrobat Reader DC versions 2020↗2022-05-24

▶

CVEList

PDF Injection BlackHat Talk↗2021-02-23

▶