Advisory for Adobe Security Updates

  • NIC-CERT/2022-10/434
  • Date: 2022-10-12
  • CVE ID: Multiple
  • Severity: Critical

. Description:

Adobe has released a security update for multiple Adobe products. An attacker could exploit these vulnerabilities to take control of the affected system. 

B. Security Issues Fixed:

Adobe has released security updates to address vulnerabilities like memory leak and arbitrary code execution.

C. Vulnerability details

Vulnerability Category

Vulnerability Impact

CVSS vector

CVE Numbers

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-35710

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-35711

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-35690

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-35712

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Arbitrary code execution

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-38418

Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

Arbitrary file system read

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-38419

Use of Hard-coded Credentials (CWE-798)

Privilege escalation

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE-2022-38420

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Arbitrary code execution

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-38421

Information Exposure (CWE-200)

Security feature bypass

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2022-38422

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Security feature bypass

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE-2022-38423

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Arbitrary file system write

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-38424


Improper Input Validation (CWE-20)


Arbitrary file system read

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-42340

Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)


Arbitrary file system read

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-42341

NULL Pointer Dereference (CWE-476)

Application denial-of-service

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2022-35691

Use After Free (CWE-416)

Memory Leak

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2022-38437

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


CVE-2022-38450

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-42339

Out-of-bounds Read (CWE-125)

Memory leak

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2022-38449

Out-of-bounds Read (CWE-125)

Memory leak

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2022-42342

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2022-35698

Out-of-bounds Read
(CWE-125)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38440

Out-of-bounds Read
(CWE-125)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38441

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38442

Out-of-bounds Read
(CWE-125)

Memory leak

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2022-38443

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38444

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38445

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38446

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38447

Use After Free (CWE-416)

Arbitrary code execution

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-38448

C. Affected Products and Solutions:

Product

Affected Version

Platform

Updated Version

ColdFusion 2018

Update 14 and earlier versions

All

Update 15

ColdFusion 2021

Update 4 and earlier versions

All

Update 5

Acrobat DC

22.002.20212 and earlier versions

Windows & macOS

22.003.20258

Acrobat Reader DC

22.002.20212 and earlier versions

Windows & macOS

22.003.20258

Acrobat 2020

20.005.30381 and earlier versions

Windows & macOS

20.005.30407

Acrobat Reader 2020

20.005.30381 and earlier versions

Windows & macOS

20.005.30407

Adobe Commerce

2.4.4-p1 and earlier versions 

2.4.5 and earlier versions

All

2.4.5-p1 and 2.4.4-p2

Magento Open Source

2.4.4-p1 and earlier versions

2.4.5 and earlier versions 

All

2.4.5-p1 and 2.4.4-p2

Adobe Dimension

3.4.5 and earlier versions 

Windows and macOS

3.4.6

D. References:

https://helpx.adobe.com/security.html