Adobe has issued security updates and patches to correct critical vulnerabilities in several of its products. The out-of-band patches cover multiple flaws across Adobe Photoshop, Adobe Media Encoder, Adobe Bridge Adobe XMP-Toolkit-SDK, and Adobe Captivate.
In all cases, even for the critical vulnerabilities, Adobe has assigned a priority rating of 3, as the flaws are in products that have not historically been a target for attackers; however, it is still advisable to ensure the products are patched as soon as possible.
Adobe Photoshop
Two critical memory corruption flaws have been identified in Adobe Photoshop which could lead to remote code execution. The flaws affect Photoshop 2020 (21.2.10 and earlier versions) and Photoshop 2021 (22.4.3 and earlier versions). While the security update rates them critical, they have been assigned a CVSS severity score of 7.8 out of 10.
The vulnerabilities are a heap-based buffer overflow flaw – CVE-2021-36065 – and an out-of-bounds write vulnerability – CVE-2021-36066.
Patches will be pushed out to address both flaws via the automatic updating feature of the software.
Adobe Bridge
Patches have been released to fix 14 vulnerabilities in Adobe Bridge, 12 of which are rated critical by Adobe, one important, and one moderate. The vulnerabilities affect Adobe Bridge versions 11.1.1 and earlier versions.
- CVE-2021-36072 – Critical – Out-of-bounds write vulnerability allowing code execution – CVSS 7.8
- CVE-2021-36078 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 8.8
- CVE-2021-36073 –Critical – Heap-based buffer overflow allowing code execution – CVSS 7.8
- CVE-2021-36079 – Critical – Out-of-bounds read allowing code execution – CVSS 7.8
- CVE-2021-36074 – Critical – Out-of-bounds read memory leak flaw – CVSS 7.8
- CVE-2021-36075 – Critical – Buffer overflow allowing code execution– CVSS 7.8
- CVE-2021-36067 – Critical – Access of memory location after end of buffer allowing code execution– CVSS 7.8
- CVE-2021-36068 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
- CVE-2021-36069 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
- CVE-2021-36049 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
- CVE-2021-36076 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
- CVE-2021-36059 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
- CVE-2021-36077 – Important – Access of memory location after end of buffer – CVSS 5.5
- CVE-2021-36071 – Moderate – Out-of-bounds read – CVSS 3.3
Adobe XMP-Toolkit-SDK
Patches have been released to correct 14 CVEs in the Adobe XMP-Toolkit-SDK, 8 of which are rated critical and 6 important. The flaws affect version 2020.1 and earlier versions:
- CVE-2021-36052– Critical – Access of memory location after end of buffer allowing code execution – CVSS 8.8
- CVE-2021-36064 – Critical – Buffer underwrite allowing code execution – CVSS 8.4
- CVE-2021-36046 – Critical – Access of memory location after end of buffer leading to code execution – CVSS 7.8
- CVE-2021-36047 – Critical – Improper input validation allowing code execution – CVSS 7.8
- CVE-2021-36048 – Critical – Improper input validation allowing code execution – CVSS 7.8
- CVE-2021-36050 – Critical – Heap-based buffer overflow leading to code execution – CVSS 7.8
- CVE-2021-36051 – Critical – Heap-based buffer overflow leading to code execution – CVSS 7.8
- CVE-2021-36045 – Critical – Out-of-bounds read flaw allowing arbitrary file system read – CVSS 7.1
- CVE-2021-36058 – Important – Integer overflow or wraparound leading to denial of service – CVSS 6.6
- CVE-2021-36054– Important –Heap-based buffer overflow leading to denial-of-service CVSS 6.1
- CVE-2021-36055– Important – Use-after-free leading to denial-of-service – CVSS 6.1
- CVE-2021-36056– Important – Use-after-free leading to denial-of-service – CVSS 6.1
- CVE-2021-36053– Important – Out-of-bounds read leading to denial-of-service – CVSS 5.0
- CVE-2021-36057– Important – Write-what-where condition allowing code execution – CVSS 4.7
Adobe Media Encoder
A patch has been released to fix a critical flaw – CVE-2021-36070 – in Adobe Media Encoder which affects 15.4 and earlier versions. The flaw is due to access of memory location after the end of buffer and can allow code execution. The flaw has been assigned a CVSS severity score of 7.8.
Adobe Captivate
One flaw has been patched in Adobe Captivate 2019 which affects version 11.5.5 and earlier. The flaw, tracked as CVE-2021-36002, is a privilege escalation issue due to the creation of a temporary file in a directory with incorrect permissions. The flaw is rated important and has a CVSS severity score of 5.0.