CVE-2009-2993: Input Validation
First published: Mon Oct 19 2009(Updated: )
The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. NOTE: some of these details are obtained from third party information.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Acrobat Reader | =8.0 | |
| Adobe Acrobat Reader | =8.1.2 | |
| Adobe Acrobat Reader | =7.0.2 | |
| Adobe Acrobat Reader | =7.0.3 | |
| Adobe Acrobat Reader | =7.1.0 | |
| Adobe Acrobat Reader | =7.0.8 | |
| Adobe Acrobat Reader | =7.1.1 | |
| Adobe Acrobat Reader | =8.1.1 | |
| Adobe Acrobat Reader | =8.1 | |
| Adobe Acrobat Reader | =9.0 | |
| Adobe Acrobat Reader | =7.0.6 | |
| Adobe Acrobat Reader | =7.0.7 | |
| Adobe Acrobat Reader | =9.1.1 | |
| Adobe Acrobat Reader | =7.1.3 | |
| Adobe Acrobat Reader | =8.1.4 | |
| Adobe Acrobat Reader | <=9.1.3 | |
| Adobe Acrobat Reader | =7.0.1 | |
| Adobe Acrobat Reader | =7.0.5 | |
| Adobe Acrobat Reader | =7.0.4 | |
| Adobe Acrobat Reader | =9.1.2 | |
| Adobe Acrobat Reader | =7.0.9 | |
| Adobe Acrobat Reader | =8.1.6 | |
| Adobe Acrobat Reader | =7.0 | |
| Adobe Acrobat Reader | =8.1.3 | |
| Adobe Acrobat Reader Notification Manager | =7.0.9 | |
| Adobe Acrobat Reader Notification Manager | <=9.1.3 | |
| Adobe Acrobat Reader Notification Manager | =8.1.6 | |
| Adobe Acrobat Reader Notification Manager | =7.1.3 | |
| Adobe Acrobat Reader Notification Manager | =7.0.5 | |
| Adobe Acrobat Reader Notification Manager | =7.0.6 | |
| Adobe Acrobat Reader Notification Manager | =7.1.0 | |
| Adobe Acrobat Reader Notification Manager | =9.1 | |
| Adobe Acrobat Reader Notification Manager | =7.0.8 | |
| Adobe Acrobat Reader Notification Manager | =8.0 | |
| Adobe Acrobat Reader Notification Manager | =7.0.7 | |
| Adobe Acrobat Reader Notification Manager | =9.1.2 | |
| Adobe Acrobat Reader Notification Manager | =8.1.5 | |
| Adobe Acrobat Reader Notification Manager | =7.0.3 | |
| Adobe Acrobat Reader Notification Manager | =9.1.1 | |
| Adobe Acrobat Reader Notification Manager | =7.0.1 | |
| Adobe Acrobat Reader Notification Manager | =7.0.2 | |
| Adobe Acrobat Reader Notification Manager | =7.0 | |
| Adobe Acrobat Reader Notification Manager | =8.1.4 | |
| Adobe Acrobat Reader Notification Manager | =8.1.2 | |
| Adobe Acrobat Reader Notification Manager | =9.0 | |
| Adobe Acrobat Reader Notification Manager | =8.1.1 | |
| Adobe Acrobat Reader Notification Manager | =8.1 | |
| Adobe Acrobat Reader Notification Manager | =8.1.3 | |
| Adobe Acrobat Reader Notification Manager | =7.1.1 | |
| Adobe Acrobat Reader Notification Manager | =7.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.us-cert.gov/cas/techalerts/TA09-286B.html
- http://www.securityfocus.com/bid/36638
- http://www.vupen.com/english/advisories/2009/2898
- http://securitytracker.com/id?1023007
- http://www.kb.cert.org/vuls/id/257117
- http://www.securityfocus.com/bid/36664
- http://www.adobe.com/support/security/bulletins/apsb09-15.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5822
Frequently Asked Questions
What vulnerabilities are associated with CVE-2009-2993?
CVE-2009-2993 allows remote attackers to create arbitrary files and potentially execute arbitrary code due to improper implementation of the Privileged Context and Safe Path restrictions in Adobe Reader and Acrobat.
What software versions are affected by CVE-2009-2993?
CVE-2009-2993 affects Adobe Reader and Acrobat versions 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2.
How do I fix CVE-2009-2993?
To fix CVE-2009-2993, update your Adobe Reader or Acrobat to the latest version provided by Adobe.
What is the severity of CVE-2009-2993?
CVE-2009-2993 has a high severity rating due to its ability to allow remote code execution and unauthorized file creation.
Is there a workaround for CVE-2009-2993?
There are no specific workarounds for CVE-2009-2993; the best course of action is to apply the latest security updates.
- agent/references
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/adobe
- canonical/adobe acrobat reader
- version/adobe acrobat reader/8.0
- version/adobe acrobat reader/8.1.2
- version/adobe acrobat reader/7.0.2
- version/adobe acrobat reader/7.0.3
- version/adobe acrobat reader/7.1.0
- version/adobe acrobat reader/7.0.8
- version/adobe acrobat reader/7.1.1
- version/adobe acrobat reader/8.1.1
- version/adobe acrobat reader/8.1
- version/adobe acrobat reader/9.0
- version/adobe acrobat reader/7.0.6
- version/adobe acrobat reader/7.0.7
- version/adobe acrobat reader/9.1.1
- version/adobe acrobat reader/7.1.3
- version/adobe acrobat reader/8.1.4
- version/adobe acrobat reader/9.1.3
- version/adobe acrobat reader/7.0.1
- version/adobe acrobat reader/7.0.5
- version/adobe acrobat reader/7.0.4
- version/adobe acrobat reader/9.1.2
- version/adobe acrobat reader/7.0.9
- version/adobe acrobat reader/8.1.6
- version/adobe acrobat reader/7.0
- version/adobe acrobat reader/8.1.3
- canonical/adobe acrobat reader notification manager
- version/adobe acrobat reader notification manager/7.0.9
- version/adobe acrobat reader notification manager/9.1.3
- version/adobe acrobat reader notification manager/8.1.6
- version/adobe acrobat reader notification manager/7.1.3
- version/adobe acrobat reader notification manager/7.0.5
- version/adobe acrobat reader notification manager/7.0.6
- version/adobe acrobat reader notification manager/7.1.0
- version/adobe acrobat reader notification manager/9.1
- version/adobe acrobat reader notification manager/7.0.8
- version/adobe acrobat reader notification manager/8.0
- version/adobe acrobat reader notification manager/7.0.7
- version/adobe acrobat reader notification manager/9.1.2
- version/adobe acrobat reader notification manager/8.1.5
- version/adobe acrobat reader notification manager/7.0.3
- version/adobe acrobat reader notification manager/9.1.1
- version/adobe acrobat reader notification manager/7.0.1
- version/adobe acrobat reader notification manager/7.0.2
- version/adobe acrobat reader notification manager/7.0
- version/adobe acrobat reader notification manager/8.1.4
- version/adobe acrobat reader notification manager/8.1.2
- version/adobe acrobat reader notification manager/9.0
- version/adobe acrobat reader notification manager/8.1.1
- version/adobe acrobat reader notification manager/8.1
- version/adobe acrobat reader notification manager/8.1.3
- version/adobe acrobat reader notification manager/7.1.1
- version/adobe acrobat reader notification manager/7.0.4