CVE-2024-49511 – Adobe InDesign has an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2024-49511?

CVE-2024-49511 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when a user opens a malicious file. This could help bypass security mitigations like ASLR. Users of InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected.

📋 TL;DR

Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when a user opens a malicious file. This could help bypass security mitigations like ASLR. Users of InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: ID18.5.3, ID19.5 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure leading to ASLR bypass enabling more severe follow-on attacks like remote code execution

🟠

Likely Case

Information disclosure of sensitive memory contents, potentially revealing application data or system information

🟢

If Mitigated

Limited impact due to user interaction requirement and memory read-only nature

🌐 Internet-Facing: LOW - Requires user to open malicious file, not directly network exploitable

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and is an out-of-bounds read, not write

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ID19.5.1 and later for InDesign 19.x; ID18.5.4 and later for InDesign 18.x

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb24-88.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application 2. Navigate to 'Apps' tab 3. Find InDesign and click 'Update' 4. Restart computer after update completes

🔧 Temporary Workarounds

Restrict InDesign file execution

all

Configure application control to block execution of InDesign files from untrusted sources

User awareness training

all

Train users to only open InDesign files from trusted sources

🧯 If You Can't Patch

Implement application whitelisting to restrict InDesign execution to trusted locations only
Use email filtering and web gateways to block malicious InDesign file attachments

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign menu

Check Version:

On Windows: Check Add/Remove Programs for Adobe InDesign version. On macOS: Check Applications folder > Adobe InDesign > Get Info

Verify Fix Applied:

Verify version is ID19.5.1 or later (for 19.x) or ID18.5.4 or later (for 18.x)

📡 Detection & Monitoring

Log Indicators:

Application crashes of InDesign with memory access violations
Security software alerts for suspicious InDesign file execution

Network Indicators:

Downloads of InDesign files from untrusted sources

SIEM Query:

source="*indesign*" AND (event_type="crash" OR event_type="access_violation")

📊 Metadata

CVE ID: CVE-2024-49511

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: November 12, 2024

Last Updated: November 16, 2024

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb24-88.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49511, you might also want to check these: