#VU934 Arbitrary code execution in Creative Cloud Desktop Application
Vulnerability identifier: #VU934
Vulnerability risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-427
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Creative Cloud Desktop Application
Universal components / Libraries /
Software for developers
Vendor: Adobe
Description
The vulnerability allows a remote unauthenticated user to execute arbitrary code on the targeted system.
The weakness is due to an unquoted search path in the affected software. By persuading the victim to view a specially crafted PDF file, attackers can load the application or execute arbirtary code.
Successful exploitation of the vulnerability will result in arbitrary code execution on the vulnerable system.
Mitigation
Update to version 3.8.0.310.
Vulnerable software versions
Creative Cloud Desktop Application: 3.5.0.206 - 3.7.0.272
External links
http://helpx.adobe.com/security/products/creative-cloud/apsb16-34.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
