Arbitrary code execution in Adobe Creative Cloud Desktop Application



Published: 2016-10-12 | Updated: 2016-10-13
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-6935
CWE-ID CWE-427
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Creative Cloud Desktop Application
Universal components / Libraries / Software for developers

Vendor Adobe

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Arbitrary code execution

EUVDB-ID: #VU934

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6935

CWE-ID: CWE-427 - Uncontrolled Search Path Element

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to execute arbitrary code on the targeted system.
The weakness is due to an unquoted search path in the affected software. By persuading the victim to view a specially crafted PDF file, attackers can load the application or execute arbirtary code.
Successful exploitation of the vulnerability will result in arbitrary code execution on the vulnerable system.

Mitigation

Update to version 3.8.0.310.

Vulnerable software versions

Creative Cloud Desktop Application: 3.5.0.206 - 3.7.0.272

External links

http://helpx.adobe.com/security/products/creative-cloud/apsb16-34.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###