Insecure library loading in Adobe Dimension

Published: 2021-07-14

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-28595
CWE-ID	CWE-427
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Adobe Dimension Client/Desktop applications / Multimedia software
Vendor	Adobe

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Insecure DLL loading

EUVDB-ID: #VU54845

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-28595

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Dimension: 2.1 - 3.4

Fixed software versions

CPE2.3

cpe:2.3:a:adobe:adobe_dimension:3.4:*:*:*:*:*:*:*

External links

http://helpx.adobe.com/security/products/dimension/apsb21-40.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?