Headline
CVE-2021-36009: Adobe Security Bulletin
Adobe Illustrator version 25.2.3 (and earlier) is affected by an memory corruption vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Security Updates Available for Adobe Illustrator | APSB21-42
Bulletin ID
Date Published
Priority
ASPB21-42
July 13, 2021
3
Summary
Adobe has released an update for Adobe Illustrator 2021. This update resolves multiple critical and important vulnerabilities that could lead to arbitrary code execution in the context of current user.
Affected Versions
Product
Version
Platform
Illustrator 2021
25.2.3 and earlier versions
Windows
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. For more information, please reference this help page.
Product
Version
Platform
Priority
Availability
Illustrator 2021
25.3
Windows and macOS
3
Download Page
Illustrator 2020
24.3.2
Windows and macOS
3
Download Page
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
CVSS base score
CVSS vector
CVE Numbers
Use After Free
(CWE-416)
Arbitrary file system read
Important
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-28593
CVE-2021-36008
Out-of-bounds write
(CWE-787)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-28591
CVE-2021-28592
Out-of-bounds Read
(CWE-125)
Arbitrary file system read
Important
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-36010
Access of Memory Location After End of Buffer
(CWE-788)
Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-36009
OS Command Injection (CWE-78)
Arbitrary code execution
Critical
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-36011
Acknowledgments
Adobe would like to thank the following researchers for reporting these issues and for working with Adobe to help protect our customers:
- Mat Powell (@mrpowell) & Joshua Smith (@kernelsmith) of Trend Micro Zero Day Initiative (CVE-2021-28591, CVE-2021-28592, CVE-2021-28593)
- Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-36010, CVE-2021-36009, CVE-2021-36008)
- Taylor Leach of Apple (CVE-2021-36011)
Revisions
July 19, 2021: Inlcuded details about CVE-2021-36010, CVE-2021-36009, CVE-2021-36008.
July 20, 2021: Included details about CVE-2021-36011
September 30, 2021: Added additional Solution row for N-1 version.
For more information, visit https://helpx.adobe.com/security.html, or email [email protected]