Headline
CVE-2021-36049: Adobe Security Bulletin
Adobe Bridge version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious Bridge file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
Security Updates Available for Adobe Bridge | APSB21-69
Bulletin ID
Date Published
Priority
APSB21-69
August 17, 2021
3
Summary
Adobe has released a security update for Adobe Bridge. This update addresses one moderate, one important and multiple critical vulnerabilities that could lead to arbitrary code execution in the context of the current user.
Affected Versions
Product
Version
Platform
Adobe Bridge
11.1 and earlier versions
Windows
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. For more information, please reference this help page.
Product
Version
Platform
Priority
Availability
Adobe Bridge
11.1.1
Windows and macOS
3
Download Page
Adobe Bridge
10.1.3
Windows and macOS
3
Download Page
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Numbers
Out-of-bounds Write
(CWE-787)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36072
Access of Memory Location After End of Buffer
(CWE-788)
Arbitrary code execution
Critical
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36078
Heap-based Buffer Overflow (CWE-122)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36073
Out-of-bounds Read
(CWE-125)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36079
Out-of-bounds Read
(CWE-125)
Memory leak
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36074
Buffer Overflow (CWE-120)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36075
Access of Memory Location After End of Buffer
(CWE-788)
Application denial-of-service
Important
5.5
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-36077
Out-of-bounds Read
(CWE-125)
Arbitrary file system read
Moderate
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-36071
Access of Memory Location After End of Buffer
(CWE-788)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36067
CVE-2021-36068
CVE-2021-36069
CVE-2021-36049
CVE-2021-36076
CVE-2021-36059
CVE-2021-39816
CVE-2021-39817
Acknowledgments
Adobe would like to thank the following researchers for reporting these issues and for working with Adobe to help protect our customers:
- CFF of Topsec Alpha Team (cff_123) (CVE-2021-36067, CVE-2021-36068, CVE-2021-36069, CVE-2021-36075, CVE-2021-36076, CVE-2021-36059, CVE-2021-39816, CVE-2021-39817)
- CQY of Topsec Alpha Team (yjdfy) (CVE-2021-36049, CVE-2021-36077)
- Kdot working with Trend Micro Zero Day Initiative (CVE-2021-36072, CVE-2021-36073)
- Qiao Li Of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2021-36078)
- Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-36079, CVE-2021-36074, CVE-2021-36071)
For more information, visit https://helpx.adobe.com/security.html , or email [email protected]