Adobe will close several, some critical, security gaps in several programs on Patch Tuesday in March. However, the company's own assessment of the risk of the gaps deviates from the assessment according to the CVSS standard.
Advertisement
Adobe: Serious security gaps
There are four security gaps in Adobe Bridge. which allows attackers to execute arbitrary code or read memory areas. In the security notice, Adobe writes that three vulnerabilities allow the execution of malicious code that is considered high risk according to the CVSS rating. However, the company considers it to be critical. Adobe Bridge 14.0.2 and 13.0.6 close the gaps. In Adobe Lightroom for macOS, attackers can also inject and execute arbitrary code, which the company classifies as a critical risk – a CVE entry or a CVSS rating is currently missing. Version 7.2 corrects this error and can be downloaded from the Apple App Store.
A vulnerability in Adobe Cold Fusion allows malicious actors to read arbitrary files from the file system (CVE-2024-20767, CVSS 8.2, hoch). The company's developers consider this to be a critical level of threat. Cold Fusion 2023 Update 7 and 2021 Update 13 close the gap. In Adobe Premiere Pro for macOS and Windows, attackers can also provoke a heap-based buffer overflow or memory accesses outside intended memory limits and inject malicious code (CVE-2024-20745, CVE-2024-20746, CVSS 7.8, hoch). Adobe considers the risk to be critical and is closing the gaps with updates to Premiere Pro 24.2.1 and 23.6.4.
Adobe Animate 2024 24.0.1 and 2023 23.0.4 for macOS and Windows correct four security-related bugs, one of which allows the execution of inserted code due to potential write accesses outside the intended memory limits (CVE-2024-20761, CVSS 7.8, hoch – Adobe rating: critical). In Adobe Experience Manager (AEM), however, there are numerous vulnerabilities, the threat level of which reaches “medium” and in some cases “low”. AEM Cloud Service Release 2024.03 and AEM 6.5.20.0 plug the security leaks.
Adobe's security messages at a glance:
On February's patch day, Adobe also had to plug critical security gaps in various products. The more popular programs Acrobat and Reader were also affected.
(dmk)