CVE-2023-29311: 
Adobe InDesign vulnerability analysis and mitigation

Adobe InDesign versions ID18.3 (and earlier) and ID17.4.1 (and earlier) are affected by an out-of-bounds read vulnerability (CVE-2023-29311) discovered in March 2023 and patched on July 11, 2023. The vulnerability exists in the decoding of QuarkXPress Drawing 'QXD' files and affects both Windows and macOS platforms (NVD, Fortinet).

The vulnerability is classified as an out-of-bounds read (CWE-125) with a CVSS v3.1 base score of 5.5 (Medium). The issue occurs when processing malformed QXD files, causing an out-of-bounds memory read due to an improper bounds check. The vulnerability requires user interaction, specifically opening a malicious file, and could lead to disclosure of sensitive memory (NVD, SOCRadar).

The exploitation of this vulnerability could lead to disclosure of sensitive memory information and potentially allow attackers to bypass security mitigations such as ASLR. The vulnerability enables attackers to extract sensitive information within the application's context through a malformed QXD file (NVD, Fortinet).

Adobe has released security patches to address this vulnerability. Users are advised to update to Adobe InDesign versions ID18.4 for Windows and macOS, or ID17.4.2 for Windows and macOS. Additionally, Fortinet has released an IPS signature (Adobe.InDesign.CVE-2023-29311.Memory.Leak) to protect their customers (Fortinet).