Multiple vulnerabilities in Adobe Photoshop



Published: 2019-08-13
Severity High
Patch available YES
Number of vulnerabilities 34
CVE ID CVE-2019-7978
CVE-2019-7980
CVE-2019-7985
CVE-2019-7990
CVE-2019-7993
CVE-2019-7969
CVE-2019-7970
CVE-2019-7971
CVE-2019-7972
CVE-2019-7973
CVE-2019-7974
CVE-2019-7975
CVE-2019-7977
CVE-2019-7981
CVE-2019-7987
CVE-2019-7991
CVE-2019-7992
CVE-2019-7995
CVE-2019-7996
CVE-2019-7997
CVE-2019-7998
CVE-2019-7999
CVE-2019-8000
CVE-2019-8001
CVE-2019-7989
CVE-2019-7976
CVE-2019-7979
CVE-2019-7982
CVE-2019-7983
CVE-2019-7984
CVE-2019-7986
CVE-2019-7988
CVE-2019-7994
CWE ID CWE-78
CWE-122
CWE-843
CWE-125
CWE-787
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Adobe Photoshop
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Advisory

1) OS Command Injection

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper validation of data passed when processing Photoshop files. A remote unauthenticated attacker can create a specially crafted file, trick the victim into opening it and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7978

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the put command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-736/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7980

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the sbw command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-734/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7985

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing .PSD files within the load command in PostScript. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-729/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Heap-based buffer overflow

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7990

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7993

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7969

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7970

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7971

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7972

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7973

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7974

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Type confusion

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7975

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing .PSD files. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7977

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the processing of the callothersubr command in PostScript. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-737/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7981

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the processing of the hsbw command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-733/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7987

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the processing of charstring index commands in font definitions within PostScript files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-727/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7991

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7992

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7995

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the processing of the blend command in PostScript. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-742/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7996

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the processing of the load command in PostScript. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-741/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7997

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7998

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7999

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8000

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8001

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing Photoshop files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) OS Command Injection

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7989

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper validation of data passed within the handling of the Folder.execute method when processing JSX files. A remote unauthenticated attacker can create a specially crafted file, trick the victim into opening it and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-739/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7976

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the drop command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-738/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7979

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within processing of the callothersubr command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-735/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7982

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the put command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-732/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7983

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing .PSD files within the put command in PostScript. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-731/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7984

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing .PSD files within the put command in PostScript. A remote attacker can create a specially crafted .PSD file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-730/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7986

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of charstring store commands in font definitions within PostScript files. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-728/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7988

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the callothersubr command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-740/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Out-of-bounds write

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-7994

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the processing of the load command in PostScript. A remote attacker can create a specially crafted PostScript file, trick the victim into opening it, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Photoshop: 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5

CPE External links

https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
https://www.zerodayinitiative.com/advisories/ZDI-19-743/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.