Headline
CVE-2021-36015: Adobe Security Bulletin
Adobe Media Encoder version 15.2 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Security Updates Available for Adobe Media Encoder | APSB21-43
Bulletin ID
Date Published
Priority
APSB21-43
July 20, 2021
3
Summary
Adobe has released an update for Adobe Media Encoder. This update resolves multiple critical and moderate vulnerabilities that could lead to arbitrary code execution in the context of the current user.
Affected Versions
Product
Version
Platform
Adobe Media Encoder
15.2 and earlier versions
Windows
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. For more information, please reference this help page.
Product
Version
Platform
Priority
Adobe Media Encoder
15.4
Windows and macOS
3
For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Numbers
Out-of-bounds Read
(CWE-125)
Memory leak
Moderate
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-28589
CVE-2021-28590
CVE-2021-36013
Improper Input Validation
(CWE-20)
Arbitrary file system read
Moderate
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-36014
Access of Memory Location After End of Buffer
(CWE-788)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36015
Out-of-bounds Read
(CWE-125)
Memory leak
Moderate
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-36016
Out-of-bounds Read
(CWE-125)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36060
Acknowledgments
Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:
- CQY of Topsec Alpha Team (yjdfy) (CVE-2021-36015)
- Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-36016, CVE-2021-36014, CVE-2021-36015)
- Zhangyang (retoor) (CVE-2021-28590, CVE-2021-36013, CVE-2021-28589, CVE-2021-36060)
Revisions
July 29, 2021: Updated the Vulnerability Impact, Severity, CVSS base score and the CVSS vector for CVE-2021-36016, CVE-2021-36014, CVE-2021-28589, CVE-2021-36013 and CVE-2021-28590
August 5, 2021: Included details about CVE-2021-36060.
For more information, visit https://helpx.adobe.com/security.html , or email [email protected]