Over the past few weeks, Adobe issued updates for vulnerabilities affecting multiple products. Timely updates are recommended.
- Adobe August 2021 updates have addressed arbitrary code execution, memory leaks, denial-of-service, and arbitrary file system read issues.
- The flaws require a user to be authenticated for successful exploitation.
- Adobe has not reported any public proof-of-concept (POC) implementations or current campaigns exploiting these vulnerabilities.
- Adobe XMP-Toolkit-SDK 2021.07 fixes 11 vulnerabilities; the most severe of them received a CVSS v3.1 score of 8.8. The flaw is tracked as CVE-2021-36052 and could allow arbitrary code execution.
- Adobe Media Encoder 15.4.1 fixes CVE-2021-36070, an Access of Memory Location After End of Buffer issue that could allow arbitrary code execution. CVSS v3.1 score: 7.8
- Adobe Bridge 11.1.1 and 10.1.3 updates fix 14 vulnerabilities. The most severe of these flaws, CVE-2021-36078, received a CVSS v3.1 score of 8.8, and could allow arbitrary code execution.
- Photoshop 2020 v.21.2.11 and Photoshop 2021 v. 22.5 fix two flaws with a CVSS v3.1 score of 7.8. Both could allow arbitrary code execution.
- Adobe Captivate 2019 v.11.5.5 and earlier versions received a Hotfix for a Privilege Escalation flaw rated 5 on the CVSS v3.1 scale.
- Follow Adobe’s guidance and update the noted products to the latest release, depending on the version running.
- Users can update their product installations manually by choosing Help > Check for Updates.
- We recommend applying the Principle of Least Privilege to all systems and services as an additional mitigation measure for these flaws.