Login
Get a Demo
Become a Partner
SOCRadar® Cyber Intelligence Inc. | Multiple Critical (CVE-2023-29308) Vulnerabilities Discovered in Adobe InDesign
Table Of Content
Home

Resources

Blog
Jul 13, 2023
3 Mins Read

Multiple Critical (CVE-2023-29308) Vulnerabilities Discovered in Adobe InDesign

A series of important zero-day vulnerabilities in Adobe InDesign has been discovered recently, and promptly reported to Adobe. In response, Adobe has released security patches on July 11, 2023, addressing these vulnerabilities.

Affected Adobe Platforms and Versions

Users of Adobe InDesign 2023 version 18.3 and earlier, as well as users of Adobe InDesign 2022 version 17.4.1 and earlier, are vulnerable to exploitation. The vulnerabilities arise when decoding QuarkXPress Drawing ‘QXD’ files. Both Windows and macOS platforms are impacted.

Details of Vulnerabilities in Adobe InDesign

The vulnerabilities, namely CVE-2023-29308 to CVE-2023-29319, have been assigned a High or Medium severity level on National Vulnerability Database (NVD). Each vulnerability stems from a distinct root cause related to a single InDesign plugin. These vulnerabilities can result in memory leaks or arbitrary code execution, posing significant risks to affected users.

  • CVE-2023-29308: The vulnerability has a CVSS score of 7.8 (High severity) and allows attackers to execute arbitrary code within the application’s context via a crafted QXD file. 

The following vulnerabilities have CVSS scores of 5.5 and are classified as Medium severity

  • CVE-2023-29309: Out-of-Bounds Read vulnerability, enabling attackers to leak sensitive information within the application through a malformed QXD file.
  • CVE-2023-29310: Out-of-Bounds Read vulnerability, leading to the leakage of sensitive information within the application’s context via a malformed QXD file.
  • CVE-2023-29311: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application through a malformed QXD file.
  • CVE-2023-29312: Out-of-Bounds Read vulnerability, resulting in the unauthorized access and retrieval of sensitive information within the application via a crafted QXD file.
  • CVE-2023-29313: Out-of-Bounds Read vulnerability, enabling attackers to obtain sensitive information within the application’s context through a malformed QXD file.
  • CVE-2023-29314:Out-of-Bounds Read vulnerability, leading to the disclosure of sensitive information within the application via a crafted QXD file.
  • CVE-2023-29315: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application’s context through a malformed QXD file.
  • CVE-2023-29316: Out-of-Bounds Read vulnerability, resulting in the unauthorized access and retrieval of sensitive information within the application via a crafted QXD file.
  • CVE-2023-29317: Out-of-Bounds Read vulnerability, enabling attackers to obtain sensitive information within the application’s context through a malformed QXD file.
  • CVE-2023-29318: Out-of-Bounds Read vulnerability, leading to the disclosure of sensitive information within the application via a crafted QXD file.
  • CVE-2023-29319: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application’s context through a malformed QXD file.

Immediate Action Required

To safeguard your system, it is crucial to apply the Adobe security patch without delay. Fortinet strongly advises users to update their Adobe InDesign installations to the latest patched versions: ID18.4 for Windows and macOS, and ID17.4.2 for Windows and macOS.

Further Information and Protection

For more detailed information on each vulnerability, please refer to the Fortinet blog written by Yonghui Han of Fortinet, who discovered the zero-day vulnerabilities. Fortinet has also shared IPS signatures specific to each vulnerability for mitigation.

Stay Secure and Updated

Organizations can leverage SOCRadar’sSupply Chain Intelligence to proactively monitor and assess the security posture of their software supply chain, including vendors like Adobe, to mitigate the risks associated with such vulnerabilities.

SOCRadar’s Supply Chain Intelligence Module, Adobe
SOCRadar’s Supply Chain Intelligence Module
Related Articles
SOCRadar® Cyber Intelligence Inc. | ShadowRay Campaign Exploits Critical Ray Framework Vulnerabilities to Compromise AI Workloads Globally
ShadowRay Campaign Exploits Critical Ray Framework Vulnerabilities to Compromise AI Workloads Globally
Apr 26, 2024
SOCRadar® Cyber Intelligence Inc. | APT28 Deploys ‘GooseEgg’ in Attacks Exploiting the Windows Print Spooler Vulnerability, CVE-2022-38028
APT28 Deploys ‘GooseEgg’ in Attacks Exploiting the Windows Print Spooler Vulnerability, CVE-2022-38028
Apr 24, 2024
SOCRadar® Cyber Intelligence Inc. | OpenMetadata Vulnerabilities Allow Attackers to Cryptomine in Kubernetes Environments
OpenMetadata Vulnerabilities Allow Attackers to Cryptomine in Kubernetes Environments
Apr 18, 2024
SOCRadar® Cyber Intelligence Inc. | CVE-2024-21006 in Oracle WebLogic Server – Oracle’s April 2024 Update Brings 441 New Security Patches
CVE-2024-21006 in Oracle WebLogic Server – Oracle’s April 2024 Update Brings 441 New Security Patches
Apr 17, 2024
SOCRadar® Cyber Intelligence Inc. | Committing a Sin, OpenJS Foundation and XZ Utils Incidents: Lessons in Open Source Security
Committing a Sin, OpenJS Foundation and XZ Utils Incidents: Lessons in Open Source Security
Apr 17, 2024