Adobe have fixed 3 critical-severity flaws in Adobe Prelude, Adobe Experience Manager & Adobe Lightroom.
Adobe Systems has stamped out critical-severity flaws across its Adobe Prelude, Adobe Experience Manager & Adobe Lightroom applications. If exploited, the serious vulnerabilities could lead to arbitrary code execution.
They issued patches for flaws tied to 1 important-rated & 3 critical-severity CVEs, during its regularly scheduled Dec. security updates. The updates follow the company’s Nov. patches, where the company fixed critical-severity flaws tied to 4 CVEs in the Windows & macOS versions of its Acrobat & Reader family of application software services; all of which could be exploited to execute arbitrary code on affected products.
“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” says Adobe’s Tues. security update.
AEM CS, AEM 188.8.131.52 & earlier, AEM 184.108.40.206 & earlier & AEM 220.127.116.11 & earlier are affected; AEM users can update to the fixed AEM versions, below. The update is a “priority 2” which according to Adobe resolves flaws in a product that “has historically been at elevated risk” – but for which there are currently no known exploits.
An important-severity flaw also exists in AEM (CVE-2020-24444), which stems from blind server-side request forgery (SSRF). Blind SSRF occurs when an application can be manipulated to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application’s front-end response. This issue can result in sensitive data disclosure, according to Adobe.
Adobe also addressed a critical vulnerability in its Lightroom Classic for Windows and macOS, which if exploited could enable arbitrary code execution in the context of the current user. Lightroom Classic is Adobe’s desktop application enabling photo editing.
The flaw stems from an uncontrolled search path element in Lightroom Classic, version 10.0 & earlier of Windows. An uncontrolled search path is a weakness that occurs when applications use fixed search paths to find resources – but 1 or more locations of the path are under control of malicious user. In the case of this flaw (CVE-2020-24447) in Lightroom Classic, the issue could enable arbitrary code execution.
Adobe urged Lightroom Classic users on the Windows and MacOS platforms to update to version 10.1. The update is a “priority 3” update, meaning it exists in a product that “has historically not been a target for attackers,” according to Adobe.
“Adobe recommends administrators install the update at their discretion,” according to the update.
A final critical vulnerability was patched in Adobe Prelude, Adobe’s logging tool for tagging media with metadata for searching, post-production workflows & footage lifecycle management. This vulnerability is another uncontrolled search path (CVE-2020-24440) that affects Adobe Prelude version 9.0.1 & earlier for Windows. If exploited, the flaw could enable arbitrary code execution.
Users are urged to update to Adobe Prelude version 9.0.2 for Windows & macOS in what Adobe prescribes a “priority 3” update rating.
Adobe Systems has dealt with various security issues over the past few months. In Oct., after warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems, Adobe released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest.