CVE-2023-28500

Name of the Vulnerable Software and Affected Versions Adobe LiveCycle ES4 versions 11.0 and earlier Adobe LiveCycle ES4 version 11.0.1 and later with Java environment 7u21 and earlier

Description A Java insecure deserialization vulnerability allows unauthenticated remote attackers to gain operating system code execution by submitting specially crafted Java serialized objects to a specific URL. The exploitation depends on two factors: insecure deserialization methods used in the Adobe LiveCycle application, and the use of Java environments 7u21 and earlier. The code execution is performed in the context of the account that is running the Adobe LiveCycle application. If the account is privileged, exploitation provides privileged access to the operating system.

Recommendations For Adobe LiveCycle ES4 versions 11.0 and earlier, consider upgrading to a supported version or applying alternative security measures, as these versions are no longer supported by the maintainer. For Adobe LiveCycle ES4 version 11.0.1 and later with Java environment 7u21 and earlier, update the Java environment to a version later than 7u21 to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the Adobe LiveCycle application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.