Adobe may have skipped March Patch Tuesday to push out security updates but caught up today issuing advisories covering 41 vulnerabilities, the majority critical, over six products.
The products included Adobe Genuine Integrity Service, Acrobat Reader, Photoshop, Experience Manager, ColdFusion 2016 and 2018 and Bridge. None of the vulnerabilities have been spotted in the wild and updates are available to correct the problems.
Photoshop contained the most vulnerabilities with 22 CVEs listed with 16 considered critical issues due to buffer errors, out of bounds write, memory corruption and heap corruption that could lead to remote code execution. The six rated important are due to an out-of-bounds read that could be exploited to disclose information from the affected system.
Adobe Acrobat DC and Reader DC 2015 and 2017 were assigned 13 CVEs with nine rated critical. The latter flaws were due to out-of-bounds write, stack-based buffer overflow, use-after-free, buffer overflow and memory corruption vulnerabilities all of which can lead to arbitrary code execution by an attacker.
Adobe Genuine Integrity Service has a single issue, CVE-2020-3766, that is rated as important. It covers an insecure file permissions vulnerability that can lead to privilege escalation if left unpatched.
Adobe Experience Manager, versions 6.5 and earlier, also has a lone flaw. The important-rated CVE-2020-3769 covers a server-side request forgery that could result in sensitive information disclosure.
ColdFusion 2016, update 13 and earlier, and ColdFusion 2018, update 7 and earlier, have CVE-2020-3761, CVE-2020-3794. Both are rated critical. The former is a remote file read problem that could result in arbitrary file read from the Coldfusion install directory, while the latter centers on a file inclusion matter leading to arbitrary code execution of files located in the webroot or its subdirectory.
The final product covered is Adobe Bridge which has the critical CVE-2020-9551 and CVE-2020-9552 being fixed. CVE-2020-9551 is an out-of-bounds write problem with CVE-2020-9552 being a heap-based buffer overflow issue. Both can lead to arbitrary code execution if exploited.