Sign-up

ID

VAR-201605-0303


CVE

CVE-2016-1117


TITLE

Windows and Mac OS X Run on Adobe Reader and Acrobat In JavaScript API Vulnerability that circumvents execution restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2016-002660

DESCRIPTION

Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a different vulnerability than CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, and CVE-2016-1062. This vulnerability CVE-2016-1038 , CVE-2016-1039 , CVE-2016-1040 , CVE-2016-1041 , CVE-2016-1042 , CVE-2016-1044 ,and CVE-2016-1062 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy the attacker, JavaScript API Execution restrictions may be avoided. Authentication is not required to exploit this vulnerability.The specific flaw exists within handling URL's passed to app.launchURL. A specially crafted cURL passed to app.launchURL can force a command to be executed. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of the process. Adobe Reader and Acrobat are prone to multiple security-bypass vulnerabilities. Attackers can exploit these issues to bypass certain security restrictions. Successful exploitation will allow an attacker to take control of the affected system. Adobe Acrobat DC, etc. are all products of Adobe (Adobe) in the United States. Acrobat DC is a desktop PDF solution; Acrobat Reader DC is a set of tools for viewing, printing and annotating PDF. Security flaws exist in several Adobe products

Trust: 2.7

sources: NVD: CVE-2016-1117 // JVNDB: JVNDB-2016-002660 // ZDI: ZDI-16-285 // BID: 90517 // VULHUB: VHN-89936 // VULMON: CVE-2016-1117

AFFECTED PRODUCTS

vendor:adobemodel:acrobat dcscope:lteversion:15.006.30121

Trust: 1.0

vendor:adobemodel:acrobat dcscope:lteversion:15.010.20060

Trust: 1.0

vendor:adobemodel:acrobat reader dcscope:lteversion:15.006.30121

Trust: 1.0

vendor:adobemodel:readerscope:lteversion:11.0.15

Trust: 1.0

vendor:adobemodel:acrobat reader dcscope:lteversion:15.010.20060

Trust: 1.0

vendor:adobemodel:acrobatscope:lteversion:11.0.15

Trust: 1.0

vendor:adobemodel:acrobatscope:ltversion:xi desktop 11.0.16 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:classic 15.006.30172 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:continuous track 15.016.20039 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:classic 15.006.30172 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:continuous track 15.016.20039 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:readerscope:ltversion:xi desktop 11.0.16 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope: - version: -

Trust: 0.7

vendor:microsoftmodel:windowsscope: - version: -

Trust: 0.6

sources: ZDI: ZDI-16-285 // JVNDB: JVNDB-2016-002660 // CNNVD: CNNVD-201605-295 // NVD: CVE-2016-1117

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1117
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-1117
value: CRITICAL

Trust: 0.8

ZDI: CVE-2016-1117
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-201605-295
value: CRITICAL

Trust: 0.6

VULHUB: VHN-89936
value: HIGH

Trust: 0.1

VULMON: CVE-2016-1117
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-1117
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: CVE-2016-1117
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-89936
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1117
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-16-285 // VULHUB: VHN-89936 // VULMON: CVE-2016-1117 // JVNDB: JVNDB-2016-002660 // CNNVD: CNNVD-201605-295 // NVD: CVE-2016-1117

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-89936 // JVNDB: JVNDB-2016-002660 // NVD: CVE-2016-1117

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-295

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201605-295

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-002660

PATCH
title:APSB16-14url:https://helpx.adobe.com/security/products/acrobat/apsb16-14.html
Trust: 1.5
title:APSB16-14url:https://helpx.adobe.com/jp/security/products/reader/apsb16-14.html
Trust: 0.8
title:アドビ システムズ社 Adobe Reader の脆弱性に関するお知らせurl:http://www.fmworld.net/biz/common/adobe/20160512.html
Trust: 0.8
title:Multiple Adobe Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61613
Trust: 0.6
sources:
            
            
            ZDI: ZDI-16-285 // 
            
            
            
            JVNDB: JVNDB-2016-002660 // 
            
            
            
            CNNVD: CNNVD-201605-295

EXTERNAL IDS
db:NVDid:CVE-2016-1117
Trust: 3.6
db:ZDIid:ZDI-16-285
Trust: 1.9
db:BIDid:90517
Trust: 1.5
db:SECTRACKid:1035828
Trust: 1.2
db:JVNDBid:JVNDB-2016-002660
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3365
Trust: 0.7
db:CNNVDid:CNNVD-201605-295
Trust: 0.7
db:AUSCERTid:ESB-2016.1146
Trust: 0.6
db:VULHUBid:VHN-89936
Trust: 0.1
db:VULMONid:CVE-2016-1117
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-285 // 
            
            
            
            VULHUB: VHN-89936 // 
            
            
            
            VULMON: CVE-2016-1117 // 
            
            
            
            BID: 90517 // 
            
            
            
            JVNDB: JVNDB-2016-002660 // 
            
            
            
            CNNVD: CNNVD-201605-295 // 
            
            
            
            NVD: CVE-2016-1117

REFERENCES
url:https://helpx.adobe.com/security/products/acrobat/apsb16-14.html
Trust: 2.5
url:http://www.securityfocus.com/bid/90517
Trust: 1.3
url:http://www.zerodayinitiative.com/advisories/zdi-16-285
Trust: 1.2
url:http://www.securitytracker.com/id/1035828
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1117
Trust: 0.8
url:https://www.ipa.go.jp/security/ciadr/vul/20160511-adobereader.html
Trust: 0.8
url:https://www.jpcert.or.jp/at/2016/at160023.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1117
Trust: 0.8
url:http://www.npa.go.jp/cyberpolice/topics/?seq=18377
Trust: 0.8
url:https://www.auscert.org.au/render.html?it=34330
Trust: 0.6
url:http://www.adobe.com
Trust: 0.3
url:http://get.adobe.com/reader/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/284.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-285 // 
            
            
            
            VULHUB: VHN-89936 // 
            
            
            
            VULMON: CVE-2016-1117 // 
            
            
            
            BID: 90517 // 
            
            
            
            JVNDB: JVNDB-2016-002660 // 
            
            
            
            CNNVD: CNNVD-201605-295 // 
            
            
            
            NVD: CVE-2016-1117

CREDITS
AbdulAziz Hariri - HPE Zero Day Initiative
Trust: 0.7
sources:
            
            
            ZDI: ZDI-16-285

SOURCES
db:ZDIid:ZDI-16-285
db:VULHUBid:VHN-89936
db:VULMONid:CVE-2016-1117
db:BIDid:90517
db:JVNDBid:JVNDB-2016-002660
db:CNNVDid:CNNVD-201605-295
db:NVDid:CVE-2016-1117

LAST UPDATE DATE
2025-04-13T23:03:03.734000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-16-285date:2016-05-10T00:00:00
db:VULHUBid:VHN-89936date:2016-12-01T00:00:00
db:VULMONid:CVE-2016-1117date:2016-12-01T00:00:00
db:BIDid:90517date:2016-07-06T14:40:00
db:JVNDBid:JVNDB-2016-002660date:2016-05-17T00:00:00
db:CNNVDid:CNNVD-201605-295date:2016-05-11T00:00:00
db:NVDid:CVE-2016-1117date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-16-285date:2016-05-10T00:00:00
db:VULHUBid:VHN-89936date:2016-05-11T00:00:00
db:VULMONid:CVE-2016-1117date:2016-05-11T00:00:00
db:BIDid:90517date:2016-05-10T00:00:00
db:JVNDBid:JVNDB-2016-002660date:2016-05-17T00:00:00
db:CNNVDid:CNNVD-201605-295date:2016-05-11T00:00:00
db:NVDid:CVE-2016-1117date:2016-05-11T11:00:25.810