CVE-2021-21099 – Adobe InDesign versions 16.0 and earlier contai... (How to Fix)

Q: What is the severity of CVE-2021-21099?

CVE-2021-21099 has a CVSS score of 8.8 (HIGH). Adobe InDesign versions 16.0 and earlier contain an out-of-bounds write vulnerability when parsing malicious files. An attacker can achieve remote code execution by tricking a user into opening a crafted file, potentially compromising the victim's system. This affects all users running vulnerable versions of Adobe InDesign.

📋 TL;DR

Adobe InDesign versions 16.0 and earlier contain an out-of-bounds write vulnerability when parsing malicious files. An attacker can achieve remote code execution by tricking a user into opening a crafted file, potentially compromising the victim's system. This affects all users running vulnerable versions of Adobe InDesign.

💻 Affected Systems

Products:

Adobe InDesign

Versions: 16.0 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when opening files.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malware installation or data theft when users open malicious InDesign files from untrusted sources.

🟢

If Mitigated

Limited impact with proper patching, user training, and file validation controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open malicious file but is otherwise straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1 and later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb21-22.html

Restart Required: Yes

Instructions:

1. Open Adobe InDesign. 2. Go to Help > Updates. 3. Install available updates to version 16.1 or later. 4. Restart InDesign after installation.

🔧 Temporary Workarounds

Restrict file opening

all

Configure InDesign to only open files from trusted locations or disable automatic file opening.

Application control

all

Use application whitelisting to prevent execution of unauthorized code from InDesign.

🧯 If You Can't Patch

Implement strict file validation policies to block untrusted InDesign files
Use sandboxing or virtualization for InDesign usage with untrusted files

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is 16.0 or earlier, system is vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\InDesign\Version. On macOS: Check /Applications/Adobe InDesign/Adobe InDesign.app/Contents/Info.plist

Verify Fix Applied:

Verify InDesign version is 16.1 or later via Help > About InDesign.

📡 Detection & Monitoring

Log Indicators:

Unexpected InDesign crashes
Unusual file access patterns from InDesign process

Network Indicators:

Downloads of InDesign files from untrusted sources

SIEM Query:

process_name:"InDesign.exe" AND (event_type:"process_creation" OR event_type:"file_access") AND file_extension:".indd" OR ".indt"

📊 Metadata

CVE ID: CVE-2021-21099

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 28, 2021

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb21-22.html Vendor Advisory
https://helpx.adobe.com/security/products/indesign/apsb21-22.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21099, you might also want to check these: