Adobe Security Bulletin

Security updates available for Adobe Animate | APSB21-105

Bulletin ID

Date Published

Priority

ASPB21-105

October 26, 2021      

3

Summary

Adobe has released an update for Adobe Animate. This update resolves multiple critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and privilege escalation in the context of the current user. 
    

Affected Versions

Product

Version

Platform

Adobe Animate

21.0.9  and earlier versions       

Windows

Solution

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate       

22.0

Windows and macOS

3

Download Center     

Adobe Animate       

21.0.10

Windows and macOS

3

Download Center     

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVE Numbers

Access of Memory Location After End of Buffer (CWE-788

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-40733  

 

Access of Memory Location After End of Buffer (CWE-788

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42266  

Access of Memory Location After End of Buffer (CWE-788

Arbitrary code execution  
 

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42267 

NULL Pointer Dereference (CWE-476

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-42268 

Use After Free (CWE-416

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42269  

Out-of-bounds Write (CWE-787

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42270   

Out-of-bounds Write (CWE-787

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-42271 

Out-of-bounds Write (CWE-787

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42272 

Out-of-bounds Write (CWE-787

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-42524  

Out-of-bounds Read (CWE-125

Privilege escalation 

Important

4.4

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 

CVE-2021-42525  

Acknowledgments



 Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: 

  • (yjdfy) CQY of Topsec Alpha Team- CVE-2021-42269; CVE-2021-42268; CVE-2021-42267; CVE-2021-42266; CVE-2021-40733

  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-42525)
  • Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative (CVE-2021-42524, CVE-2021-42272, CVE-2021-42271)  
  • Francis Provencher working with Trend Micro Zero Day Initiative (CVE-2021-42270)

Revisions

November 9, 2021: Added row to solution table for N-1.

November 11, 2021: Updated vulnerability details for CVE-2021-42268


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe logo

Sign in to your account