Cyber Resilience

CVE-2021-28546

Medium

Published: 01 April 2021

Published
01 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0053 67.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28546 is a medium-severity Missing Support for Integrity Check (CWE-353) vulnerability in Adobe Acrobat. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check. An unauthenticated attacker could leverage this vulnerability to modify content in a certified PDF without invalidating the certification.…

more

Exploitation of this issue requires user interaction in that a victim must open the tampered file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
17.011.30059 — 17.011.30188 · 20.001.30005 — 20.001.30018
adobe
acrobat dc
15.008.20082 — 20.013.20074
adobe
acrobat reader
17.011.30059 — 17.011.30188 · 20.001.30005 — 20.001.30018
adobe
acrobat reader dc
15.008.20082 — 20.013.20074

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-353

Irrefutable evidence of actions requires integrity protection to prevent tampering or alteration of records.

addresses: CWE-353

Implements required signature-based integrity verification, addressing missing support for integrity checks on components.

addresses: CWE-353

Requiring control over the integrity of all changes directly compels developers to implement integrity verification mechanisms rather than omitting them.

addresses: CWE-353

Tamper detection fundamentally depends on integrity-checking capabilities that this control mandates or strengthens.

addresses: CWE-353

Explicitly requires support for integrity and authenticity checks on components before acceptance into the system.

addresses: CWE-353

Supplies the integrity-check artifacts (e.g., RRSIG, DNSKEY) that were previously missing for DNS responses.

addresses: CWE-353

Control explicitly adds support for integrity mechanisms such as checksums during preparation, preventing attacks that rely on missing integrity checks.

addresses: CWE-353

Directly supplies the missing integrity verification mechanism the weakness describes.

References