プラットフォーム
adobe
コンポーネント
adobe-document-services
修正版
7.50.1
CVE-2024-47578 describes a Server-Side Request Forgery (SSRF) vulnerability within Adobe Document Services. This flaw allows an authenticated attacker with administrator privileges to craft malicious requests, potentially bypassing internal network protections. Affected versions include 7.50–ADSSSAP 7.50, and a patch is available in version 7.50.1.
The SSRF vulnerability in Adobe Document Services presents a significant risk, particularly for organizations relying on this service for internal document processing. An attacker exploiting this flaw can initiate requests from the server as if they originated internally, effectively bypassing firewalls and accessing resources that would normally be inaccessible. This could lead to unauthorized access to sensitive data, modification of critical system files, or even a complete denial of service by overwhelming the server with requests. The ability to read or modify any file on the system significantly expands the attack surface and potential damage.
This vulnerability is considered critical due to the potential for widespread impact and the relatively straightforward exploitation path given administrator privileges. While no public exploits have been widely reported, the SSRF nature of the vulnerability makes it a prime target for internal threat actors and automated scanning tools. The vulnerability was publicly disclosed on December 10, 2024. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Adobe Document Services for internal document processing, particularly those with legacy configurations or inadequate network segmentation, are at heightened risk. Environments where administrator privileges are broadly granted or poorly controlled are also particularly vulnerable. Shared hosting environments utilizing Adobe Document Services should be carefully reviewed for potential exposure.
• java / server:
ps -ef | grep "Adobe Document Services"• java / server:
journalctl -u adobe-document-services -f | grep "Server-Side Request"• generic web:
curl -I https://<your_document_services_url>/internal_resource• generic web:
grep -r "http://internal.server/" /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.17% (38% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-47578 is to immediately upgrade Adobe Document Services to version 7.50.1 or later. If upgrading is not immediately feasible, consider implementing strict network segmentation to limit the potential impact of a successful SSRF attack. Implement robust input validation and sanitization on all user-supplied data to prevent malicious requests. Monitor network traffic for unusual outbound requests originating from the Adobe Document Services server. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known payload and verifying that the request is blocked.
SAPのノート3536965で提供されているセキュリティパッチを適用して、Server-Side Request Forgeryの脆弱性を修正してください。SAP NetWeaver AS for JAVA (Adobe Document Services)システムを最新バージョンに更新してください。脆弱なWebアプリケーションへのアクセスを制限し、セキュリティ設定を確認してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-47578 is a critical Server-Side Request Forgery vulnerability in Adobe Document Services affecting versions 7.50–ADSSSAP 7.50, allowing attackers with admin privileges to initiate requests from the server.
If you are running Adobe Document Services versions 7.50–ADSSSAP 7.50, you are potentially affected by this vulnerability. Check your version and upgrade immediately.
Upgrade Adobe Document Services to version 7.50.1 or later to remediate the SSRF vulnerability. Implement network segmentation as a temporary workaround.
While no widespread exploitation has been publicly confirmed, the SSRF nature of the vulnerability makes it a likely target for attackers. Proactive patching is essential.
Refer to the official Adobe Security Bulletin for CVE-2024-47578: [https://www.adobe.com/security/advisories/AdobeSecurityBulletinforAdobeDocumentServices.pdf](https://www.adobe.com/security/advisories/AdobeSecurityBulletinforAdobeDocumentServices.pdf)