CVE-2022-28244
Adobe Acrobat Reader DC CSP Bypass Leads To Privilege Escalation
In short
Adobe Acrobat Reader DC has a flaw that allows attackers to bypass security policies designed to prevent unauthorized cross-origin requests. An attacker can trick a user into opening a malicious PDF file, which then sends unwanted requests to other websites on behalf of the victim.
Technical detail
CVE-2022-28244 involves a Content Security Policy (CSP) bypass in Acrobat Reader DC through violation of secure design principles. The attack vector requires user interaction (opening a crafted PDF from an attacker-controlled server) and allows execution of arbitrary cross-origin requests. The impact enables unauthorized actions against third-party domains in the victim's security context.
Summary generated and translated by AI from the official description.
Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the cross-origin attack target domain. Exploitation requires user interaction in which the victim needs to access a crafted PDF file on an attacker's server.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Affected products
Adobe · Acrobat ReaderWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →