Adobe Security Bulletin

Security Updates Available for Adobe XMP Toolkit SDK | APSB21-65

Bulletin ID

Date Published

Priority

APSB21-65

August 17, 2021

3

Summary

Adobe has released updates for XMP-Toolkit-SDK. These updates resolve multiple  critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.                              

Affected versions

Product

Affected version

Platform

Adobe XMP-Toolkit-SDK

2020.1 and earlier versions    

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest. 

Product

Updated version

Platform

Priority rating

Availability

Adobe XMP-Toolkit-SDK   

2021.07  

All 

3

Vulnerability Details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVE Number

Out-of-bounds Read

(CWE-125)

Arbitrary file system read

Critical 

7.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CVE-2021-36045

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-36046

Improper Input Validation

(CWE-20)

Arbitrary code execution

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-36047

CVE-2021-36048

Heap-based Buffer Overflow

(CWE-122)

Arbitrary code execution

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-36050

CVE-2021-36051

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution

Critical 

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-36052

Out-of-bounds Read

(CWE-125)

Application denial-of-service

Important

5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-36053

Heap-based Buffer Overflow

(CWE-122)

Application denial-of-service

Important

6.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CVE-2021-36054

Use After Free

(CWE-416)

Application denial-of-service

Important

6.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CVE-2021-36055

CVE-2021-36056

Write-what-where Condition

(CWE-123)

Arbitrary code execution

Important

4.7

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-36057

Buffer Underwrite ('Buffer Underflow') (CWE-124)

Arbitrary code execution

Critical 

8.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-36064

Integer Overflow or Wraparound

(CWE-190)

Application denial-of-service

Important

6.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CVE-2021-36058

Acknowledgments

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers: 

  • CFF of Topsec Alpha Team (cff_123) (CVE-2021-36052, CVE-2021-36064)
  • CQY of Topsec Alpha Team (yjdfy) (CVE-2021-36045, CVE-2021-36046, CVE-2021-36047, CVE-2021-36048, CVE-2021-36050, CVE-2021-36051, CVE-2021-36053, CVE-2021-36054, CVE-2021-36055, CVE-2021-36056, CVE-2021-36057, CVE-2021-36058, CVE-2021-39847)

Revision

September 1, 2021:  Updated the CVSS base score and the CVSS vector for CVE-2021-36064, CVE-2021-36052.

                                  Included details about CVE-2021-39847. 

                                  Updated acknowledgement details for yjdfy.    

September 27, 2021: Updated CVSS base score for CVE-2021-36058 & CVE-2021-36054. Updated Vulnerability category for CVE-2021-36056. Updated credit for CVE-2021-36058.


 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online