osquery-defense-kit/vulnerabilities/vulnerable-acrobat-reader.sql

-- Vulnerable version of Adobe Acrobat Reader is installed
--
-- References:
--   * https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
  name,
  path,
  bundle_version,
  TRIM(REGEX_MATCH (bundle_version, "^(\d+)\.", 1)) AS major,
  TRIM(REGEX_MATCH (bundle_version, "\.(\d+)$", 1)) AS patch
FROM
  apps
WHERE
  name LIKE "%Acrobat%"
  AND (
    (
      major = "23"
      AND CAST(patch AS integer) < 20285
    )
    OR (
      major = "20"
      AND CAST(patch AS integer) < 30517
    )
  )
Detect vulnerable versions of Acrobat Reader 2023-09-14 20:30:05 +00:00			`-- Vulnerable version of Adobe Acrobat Reader is installed`
			`--`
			`-- References:`
			`-- * https://helpx.adobe.com/security/products/acrobat/apsb23-34.html`
			`--`
			`-- tags: persistent state filesystem`
			`-- platform: darwin`
			`SELECT`
			`name,`
			`path,`
			`bundle_version,`
			`TRIM(REGEX_MATCH (bundle_version, "^(\d+)\.", 1)) AS major,`
			`TRIM(REGEX_MATCH (bundle_version, "\.(\d+)$", 1)) AS patch`
			`FROM`
			`apps`
			`WHERE`
			`name LIKE "%Acrobat%"`
			`AND (`
			`(`
			`major = "23"`
			`AND CAST(patch AS integer) < 20285`
			`)`
			`OR (`
			`major = "20"`
			`AND CAST(patch AS integer) < 30517`
			`)`
			`)`