Bulletin ID
Last updated on
Security Updates Available for Adobe Bridge | APSB21-94
|
|
Date Published |
Priority |
|---|---|---|
|
APSB21-94 |
October 26, 2021 |
2 |
Summary
Adobe has released a security update for Adobe Bridge. This update addresses critical vulnerabilities that could lead to arbitrary code execution and memory leak.
Affected Versions
|
Product |
Version |
Platform |
|---|---|---|
|
Adobe Bridge |
11.1.1 and earlier versions |
Windows |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism. For more information, please reference this help page.
|
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
|
Adobe Bridge |
12.0 |
Windows and macOS |
2 |
|
|
Adobe Bridge |
11.1.2 |
Windows and macOS |
2 |
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Numbers |
||
|---|---|---|---|---|---|---|
|
NULL Pointer Dereference (CWE-476) |
Memory leak |
Critical |
8.3 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2021-40750 |
|
|
Double Free (CWE-415) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42533 |
|
|
Out-of-bounds Read (CWE-125) |
|
Critical |
7.8 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
CVE-2021-42719 CVE-2021-42720 |
|
|
Out-of-bounds Read (CWE-125) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42722 |
|
|
Access of Memory Location After End of Buffer (CWE-788) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42724 |
|
|
Out-of-bounds Write |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42728 |
|
|
Access of Memory Location After End of Buffer (CWE-788) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42729 |
|
|
Access of Memory Location After End of Buffer (CWE-788) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42730 |
|
|
Use After Free (CWE-416) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-42721 |
Acknowledgments
Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:
(hy350) HY350 of Topsec Alpha Team CVE-2021-40750
(yjdfy) CQY of Topsec Alpha Team CVE-2021-42730; CVE-2021-42729; CVE-2021-42721
- (cff_123) CFF of Topsec Alpha Team- CVE-2021-42728; CVE-2021-42724; CVE-2021-42722; CVE-2021-42720; CVE-2021-42719
Francis Provencher working with Trend Micro Zero Day Initiative (CVE02021-42533)
Revisions
June 16, 2022: Added CVE-2021-42721
December 6th, 2021: Added CVE details for CVE-2021-44185, CVE-2021-44186, CVE-2021-44187
January 11, 2022: Moved CVE details for CVE-2021-44185, CVE-2021-44186, CVE-2021-44187 to bulletin: https://helpx.adobe.com/security/products/bridge/apsb22-03.html
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com