Adobe Patches Critical Flaws in Photoshop, Media Encoder, Bridge and XMP-Toolkit-SDK

By Richard Anderson

Adobe has issued security updates and patches to correct critical vulnerabilities in several of its products. The out-of-band patches cover multiple flaws across Adobe Photoshop, Adobe Media Encoder, Adobe Bridge Adobe XMP-Toolkit-SDK, and Adobe Captivate.

In all cases, even for the critical vulnerabilities, Adobe has assigned a priority rating of 3, as the flaws are in products that have not historically been a target for attackers; however, it is still advisable to ensure the products are patched as soon as possible.

Adobe Photoshop

Two critical memory corruption flaws have been identified in Adobe Photoshop which could lead to remote code execution. The flaws affect Photoshop 2020 (21.2.10 and earlier versions) and Photoshop 2021 (22.4.3 and earlier versions). While the security update rates them critical, they have been assigned a CVSS severity score of 7.8 out of 10.

The vulnerabilities are a heap-based buffer overflow flaw – CVE-2021-36065 – and an out-of-bounds write vulnerability – CVE-2021-36066.

Patches will be pushed out to address both flaws via the automatic updating feature of the software.

Adobe Bridge

Patches have been released to fix 14 vulnerabilities in Adobe Bridge, 12 of which are rated critical by Adobe, one important, and one moderate. The vulnerabilities affect Adobe Bridge versions 11.1.1 and earlier versions.

  • CVE-2021-36072 – Critical – Out-of-bounds write vulnerability allowing code execution – CVSS 7.8
  • CVE-2021-36078 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 8.8
  • CVE-2021-36073 –Critical – Heap-based buffer overflow allowing code execution – CVSS 7.8
  • CVE-2021-36079 – Critical – Out-of-bounds read allowing code execution – CVSS 7.8
  • CVE-2021-36074 – Critical – Out-of-bounds read memory leak flaw – CVSS 7.8
  • CVE-2021-36075 – Critical – Buffer overflow allowing code execution– CVSS 7.8
  • CVE-2021-36067 – Critical – Access of memory location after end of buffer allowing code execution– CVSS 7.8
  • CVE-2021-36068 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
  • CVE-2021-36069 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
  • CVE-2021-36049 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
  • CVE-2021-36076 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
  • CVE-2021-36059 – Critical – Access of memory location after end of buffer allowing code execution – CVSS 7.8
  • CVE-2021-36077 – Important – Access of memory location after end of buffer – CVSS 5.5
  • CVE-2021-36071 – Moderate – Out-of-bounds read – CVSS 3.3

Adobe XMP-Toolkit-SDK

Patches have been released to correct 14 CVEs in the Adobe XMP-Toolkit-SDK, 8 of which are rated critical and 6 important. The flaws affect version 2020.1 and earlier versions:

  • CVE-2021-36052– Critical – Access of memory location after end of buffer allowing code execution – CVSS 8.8
  • CVE-2021-36064 – Critical – Buffer underwrite allowing code execution – CVSS 8.4
  • CVE-2021-36046 – Critical – Access of memory location after end of buffer leading to code execution – CVSS 7.8
  • CVE-2021-36047 – Critical – Improper input validation allowing code execution – CVSS 7.8
  • CVE-2021-36048 – Critical – Improper input validation allowing code execution – CVSS 7.8
  • CVE-2021-36050 – Critical – Heap-based buffer overflow leading to code execution – CVSS 7.8
  • CVE-2021-36051 – Critical – Heap-based buffer overflow leading to code execution – CVSS 7.8
  • CVE-2021-36045 – Critical – Out-of-bounds read flaw allowing arbitrary file system read – CVSS 7.1
  • CVE-2021-36058 – Important – Integer overflow or wraparound leading to denial of service – CVSS 6.6
  • CVE-2021-36054– Important –Heap-based buffer overflow leading to denial-of-service CVSS 6.1
  • CVE-2021-36055– Important – Use-after-free leading to denial-of-service – CVSS 6.1
  • CVE-2021-36056– Important – Use-after-free leading to denial-of-service – CVSS 6.1
  • CVE-2021-36053– Important – Out-of-bounds read leading to denial-of-service – CVSS 5.0
  • CVE-2021-36057– Important – Write-what-where condition allowing code execution – CVSS 4.7

Adobe Media Encoder

A patch has been released to fix a critical flaw – CVE-2021-36070 – in Adobe Media Encoder which affects 15.4 and earlier versions. The flaw is due to access of memory location after the end of buffer and can allow code execution. The flaw has been assigned a CVSS severity score of 7.8.

Adobe Captivate

One flaw has been patched in Adobe Captivate 2019 which affects version 11.5.5 and earlier. The flaw, tracked as CVE-2021-36002, is a privilege escalation issue due to the creation of a temporary file in a directory with incorrect permissions. The flaw is rated important and has a CVSS severity score of 5.0.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news