CVE-2022-30658: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions 17.2.1 (and earlier) and 16.4.1 (and earlier) were affected by a Heap-based Buffer Overflow vulnerability identified as CVE-2022-30658. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was publicly disclosed on June 15, 2022. The vulnerability affects Adobe InDesign software running on both Windows and macOS operating systems (ZDI Advisory, NVD).

The vulnerability exists within the parsing of embedded fonts in Adobe InDesign. The specific flaw results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v2.0 base score of 9.3 with the vector (AV:N/AC:M/Au:N/C:C/I:C/A:C) (ZDI Advisory, NVD).

If successfully exploited, this vulnerability could result in arbitrary code execution in the context of the current user. An attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining control over the affected system (ZDI Advisory).

Adobe has issued an update to correct this vulnerability. Users should update their Adobe InDesign installations to versions newer than 17.2.1 or 16.4.1 depending on their installation branch (Adobe Advisory).