SB2022091433 - Multiple vulnerabilities in Adobe Photoshop

Security Bulletin ID SB2022091433

CSH Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2022-35713)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing U3D files. A remote attacker can create a specially crafted U3D file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

2) Access of Uninitialized Pointer (CVE-ID: CVE-2022-38426)

CWE-ID: CWE-824 - Access of Uninitialized Pointer

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing U3D files. A remote attacker can create a specially crafted U3D file, trick the victim into opening it using the affected software, trigger a boundary error and execute arbitrary code on the target system.

3) Access of Uninitialized Pointer (CVE-ID: CVE-2022-38427)

CWE-ID: CWE-824 - Access of Uninitialized Pointer

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing U3D files. A remote attacker can create a specially crafted U3D file, trick the victim into opening it using the affected software, trigger a boundary error and execute arbitrary code on the target system.

4) Use-after-free (CVE-ID: CVE-2022-38428)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a use-after-free error when processing DCM files. A remote attacker can trick the victim to open a specially crafted DCM file, trigger a use-after-free error and read memory contents on the system.

5) Out-of-bounds read (CVE-ID: CVE-2022-38429)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing SVG files. A remote attacker can create a specially crafted SVG file, trick the victim into opening it using the affected software, trigger an out-of-bounds read and execute arbitrary code on the target system.

6) Out-of-bounds read (CVE-ID: CVE-2022-38430)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing MP4 files. A remote attacker can create a specially crafted MP4 file, trick the victim into opening it using the affected software, trigger an out-of-bounds read and execute arbitrary code on the target system.

7) Out-of-bounds read (CVE-ID: CVE-2022-38431)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing SVG files. A remote attacker can create a specially crafted SVG file, trick the victim into opening it using the affected software, trigger an out-of-bounds read and execute arbitrary code on the target system.

8) Heap-based buffer overflow (CVE-ID: CVE-2022-38432)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing SVG files. A remote attacker can trick the victim to open a specially crafted SVG file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Heap-based buffer overflow (CVE-ID: CVE-2022-38433)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing SVG files. A remote attacker can trick the victim to open a specially crafted SVG file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) Use-after-free (CVE-ID: CVE-2022-38434)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing SVG files. A remote attacker can trick the victim to open a specially crafted SVG file, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install update from vendor's website.

SB2022091433 - Multiple vulnerabilities in Adobe Photoshop

Breakdown by Severity

Description

Remediation

References

Please verify you're human