https://helpx.adobe.com/security/products/acrobat/apsb21-104.html

The version of Adobe Reader installed on the remote Windows host is a version prior to 17.011.30204, 20.004.30017, or 21.007.20099. It is, therefore, affected by multiple vulnerabilities.

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by an out-of-bounds write vulnerability when parsing     a crafted JPEG2000 file, which could result in arbitrary code execution in the context of the current     user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-40731)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing     of the GetURL function on a global object window that could result in arbitrary code execution in the     context of the current user. Exploitation of this issue requires user interaction in that a victim must     open a malicious file. (CVE-2021-40728)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead     to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations     such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious     PDF file. (CVE-2021-40729)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free that allow a remote attacker to     disclose sensitive information on affected installations of of Adobe Acrobat Reader DC. User interaction     is required to exploit this vulnerability in that the target must visit a malicious page or open a     malicious file. The specific flaw exists within the parsing of JPG2000 images. (CVE-2021-40730)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Adobe Reader installed on the remote macOS host is a version prior to 17.011.30204, 20.004.30017, or 21.007.20099. It is, therefore, affected by multiple vulnerabilities.

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by an out-of-bounds write vulnerability when parsing     a crafted JPEG2000 file, which could result in arbitrary code execution in the context of the current     user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-40731)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing     of the GetURL function on a global object window that could result in arbitrary code execution in the     context of the current user. Exploitation of this issue requires user interaction in that a victim must     open a malicious file. (CVE-2021-40728)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead     to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations     such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious     PDF file. (CVE-2021-40729)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free that allow a remote attacker to     disclose sensitive information on affected installations of of Adobe Acrobat Reader DC. User interaction     is required to exploit this vulnerability in that the target must visit a malicious page or open a     malicious file. The specific flaw exists within the parsing of JPG2000 images. (CVE-2021-40730)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Adobe Acrobat installed on the remote Windows host is a version prior to 17.011.30204, 20.004.30017, or 21.007.20099. It is, therefore, affected by multiple vulnerabilities.

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by an out-of-bounds write vulnerability when parsing     a crafted JPEG2000 file, which could result in arbitrary code execution in the context of the current     user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-40731)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing     of the GetURL function on a global object window that could result in arbitrary code execution in the     context of the current user. Exploitation of this issue requires user interaction in that a victim must     open a malicious file. (CVE-2021-40728)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead     to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations     such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious     PDF file. (CVE-2021-40729)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free that allow a remote attacker to     disclose sensitive information on affected installations of of Adobe Acrobat Reader DC. User interaction     is required to exploit this vulnerability in that the target must visit a malicious page or open a     malicious file. The specific flaw exists within the parsing of JPG2000 images. (CVE-2021-40730)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Adobe Acrobat installed on the remote macOS host is a version prior to 17.011.30204, 20.004.30017, or 21.007.20099. It is, therefore, affected by multiple vulnerabilities.

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by an out-of-bounds write vulnerability when parsing     a crafted JPEG2000 file, which could result in arbitrary code execution in the context of the current     user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
    (CVE-2021-40731)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing     of the GetURL function on a global object window that could result in arbitrary code execution in the     context of the current user. Exploitation of this issue requires user interaction in that a victim must     open a malicious file. (CVE-2021-40728)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead     to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations     such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious     PDF file. (CVE-2021-40729)

  - Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and     earlier), and 17.011.30202 (and earlier) is affected by a use-after-free that allow a remote attacker to     disclose sensitive information on affected installations of of Adobe Acrobat Reader DC. User interaction     is required to exploit this vulnerability in that the target must visit a malicious page or open a     malicious file. The specific flaw exists within the parsing of JPG2000 images. (CVE-2021-40730)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154155	Adobe Reader < 17.011.30204 / 20.004.30017 / 21.007.20099 Multiple Vulnerabilities (APSB21-104)	Nessus	Windows	high
154154	Adobe Reader < 17.011.30204 / 20.004.30017 / 21.007.20099 Multiple Vulnerabilities (APSB21-104) (macOS)	Nessus	MacOS X Local Security Checks	high
154153	Adobe Acrobat < 17.011.30204 / 20.004.30017 / 21.007.20099 Multiple Vulnerabilities (APSB21-104)	Nessus	Windows	high
154152	Adobe Acrobat < 17.011.30204 / 20.004.30017 / 21.007.20099 Multiple Vulnerabilities (APSB21-104) (macOS)	Nessus	MacOS X Local Security Checks	high

CVE-2021-40730

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

high

high

high

high