CVE-2018-4888

Published Feb 27, 2018

Last updated 7 years ago

CVSS high 8.8

Overview

Description: An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability. The vulnerability is triggered by a crafted PDF file that can cause a memory access violation exception in the XFA engine because of a dangling reference left as a consequence of freeing an object in the computation that manipulates internal nodes in a graph representation of a document object model used in XFA. Successful exploitation could lead to arbitrary code execution.
Source: psirt@adobe.com
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-416

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6AA5E332-A7C9-40EE-AA1D-ECD20C6AC948",
            "versionEndIncluding": "17.011.30070",
            "versionStartIncluding": "17.0"
          },
          {
            "criteria": "cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5561E635-D92E-4598-9D10-2FB1F7B3AD82",
            "versionEndIncluding": "18.009.20050",
            "versionStartIncluding": "-"
          },
          {
            "criteria": "cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "665540E1-CF26-4390-BC76-5FEF40E7DB9F",
            "versionEndIncluding": "15.006.30394",
            "versionStartIncluding": "15.0"
          },
          {
            "criteria": "cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2E402EC4-3717-4634-90E9-BDE1C76FAB5E",
            "versionEndIncluding": "17.011.30070",
            "versionStartIncluding": "17.0"
          },
          {
            "criteria": "cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "381AB5FE-10AE-4B06-9CAD-0614295928BA",
            "versionEndIncluding": "18.009.20050",
            "versionStartIncluding": "-"
          },
          {
            "criteria": "cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "68EEAB61-2409-432D-B10F-0B59FC4EB1E1",
            "versionEndIncluding": "15.006.30394",
            "versionStartIncluding": "15.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References