CVE-2008-0655
Published: 07 February 2008
Summary
CVE-2008-0655 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2008-0655 affects Adobe Reader and Acrobat versions prior to 8.1.2 and consists of multiple unspecified vulnerabilities that carry unknown impact and attack vectors. The issue is assigned CWE-200 and receives a CVSS 3.1 base score of 8.8, reflecting network attack reachability, low complexity, no required privileges, and required user interaction that can still result in complete loss of confidentiality, integrity, and availability.
An attacker positioned on the network can supply malicious input that triggers the flaws once a user opens or interacts with a crafted document, potentially allowing arbitrary code execution or information disclosure within the affected Adobe applications.
Advisories and vendor references, including Adobe’s release notes for Reader 8.1.2 and corresponding Secunia and distribution security announcements, indicate that upgrading to version 8.1.2 or later eliminates the vulnerabilities.
No information on observed in-the-wild exploitation is supplied in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2008-0665
Vulnerability details
Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification and installation of vendor patches that eliminate the unspecified flaws in Adobe Reader/Acrobat < 8.1.2.
Enforces configuration settings that mandate only approved, patched versions of Acrobat/Reader are installed and executed.
Restricts installation or execution of the vulnerable Adobe application to only those systems where it is explicitly required, reducing attack surface.