Cyber Resilience

CVE-2021-44714

Low

Published: 14 January 2022

Published
14 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0039 60.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-44714 is a low-severity Violation of Secure Design Principles (CWE-657) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 2.5 (Low).

Operationally, ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Violation of Secure Design Principles that could lead to a Security feature bypass. Acrobat Reader DC displays a warning message when a…

more

user clicks on a PDF file, which could be used by an attacker to mislead the user. In affected versions, this warning message does not include custom protocols when used by the sender. User interaction is required to abuse this vulnerability as they would need to click 'allow' on the warning message of a malicious file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat dc
15.008.20082 — 21.007.20099 · 15.008.20082 — 21.007.20099
adobe
acrobat reader dc
15.008.20082 — 21.007.20099 · 15.008.20082 — 21.007.20099
adobe
acrobat
17.011.30059 — 17.011.30204 · 20.001.30005 — 20.004.30017
adobe
acrobat reader
17.011.30059 — 17.011.30204 · 20.001.30005 — 20.004.30017

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-657

Establishing and updating awareness policy promotes adherence to secure design principles through ongoing training, preventing related violations.

addresses: CWE-657

Mandating the policy be consistent with laws, standards, and guidelines enforces secure design principles in security governance and oversight.

addresses: CWE-657

Deficiencies violating secure design principles are tracked and corrected through planned actions, limiting attacker opportunities from design flaws.

addresses: CWE-657

Documenting, disseminating, and periodically reviewing maintenance policies and procedures enforces core secure design principles for system maintenance activities.

addresses: CWE-657

Documented policy with defined scope, roles, responsibilities, and periodic review directly enforces secure design principles and management commitment.

addresses: CWE-657

Baseline selection enforces adherence to established secure-design principles rather than ad-hoc or insufficient control choices.

addresses: CWE-657

Requires risk determinations for architecture/design decisions, tailoring rationale, and alignment with enterprise architecture to avoid violations of secure design principles.

addresses: CWE-657

Regular SSP updates force review of whether the system's evolving design continues to follow documented secure design principles after changes.

References