-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1986
       APSB21-41 Security update available for Adobe Creative Cloud
                            Desktop Application
                                9 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Creative Cloud Desktop Application
Publisher:         Adobe
Operating System:  Windows
                   Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Create Arbitrary Files          -- Console/Physical
                   Reduced Security                -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-28633 CVE-2021-28594 

Original Bulletin: 
   https://helpx.adobe.com/security/products/creative-cloud/apsb21-41.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update available for Adobe Creative Cloud Desktop Application |
APSB21-41

Bulletin ID                  Date Published                Priority

ASPB21-41                  June 08, 2021                     3


Summary

Adobe has released an update for the Creative Cloud Desktop installer for
Windows and macOS. This update includes a fix for a critical and an important 
vulnerability that could lead to arbitrary code execution in the context of
current user.

Affected versions

Product                                   Affected version      Platform

Creative Cloud Desktop Application        2.4 and earlier       Windows and
(Installer)                               version               macOS


Solution

Adobe categorizes this update with the following priority rating and recommends
users update their installation to the newest version:

Product                    Updated      Platform      Priority     Availability
                           version                    rating

Creative Cloud Desktop
Application                2.5          Windows and   3            Download
                                        macOS                      Center
(installer)


Vulnerability Details

    Vulnerability     Vulnerability           CVSS
      Category           Impact     Severity  base  CVSS vector   CVE Numbers
                                              score

Creation of Temporary                               CVSS:3.1/
File in Directory     Arbitrary                     AV:P/AC:L/
with Incorrect        file system   Important 6.1   PR:H/UI:R/   CVE-2021-28633
Permissions ( CWE-379 write                         S:U/C:H/I:H/
)                                                   A:H

                                                    CVSS:3.1/
Uncontrolled Search   Arbitrary                     AV:L/AC:L/
Path Element (        code          Critical  7.8   PR:N/UI:R/   CVE-2021-28594
CWE-427 )             execution                     S:U/C:H/I:H/
                                                    A:H


Acknowledgments

Adobe would like to thank the following for reporting this issue and for
working with Adobe to help protect our customers.

  o CQY of Topsec Alpha Team (yjdfy) (CVE-2021-28633)
  o Dhiraj Mishra (CVE-2021-28594)

For more information, visit https://helpx.adobe.com/security.html , or email
PSIRT@adobe.com.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYMAki+NLKJtyKPYoAQgXKw/9EG7q/Z6+Le9H6ZFp+EGC6WtrO4TFCtkw
r70aCds5EwL5SG/1RWKr7LlNn+EDstAP9WA+BuQLKKo/tgbhA/FC4z5HHZKsP34F
F8Dx18okTarlaRuy66SxN5BfdxcHpwAdvtbi0AWnD/tTM0ZAgCdUETV8iabO/Jz5
EuM+TcmNuYQBtSO6u/A9xHwYDfc5Zi8ENoVeHaWVHT7yXOrt/WF0HN+6ULEGxq9z
KfFA8g8hPORKs6Xvx78qg88rcZHrT84bhx9Qbky271A/H89x0MfK6w4CsqLWjh/a
JhJUiBnjtRUIsWgvVxMLZ51NXQOfX9qwB+I8HnkhWZJid5faztOu2xtSDMqd7O0C
zJ4J5WzxhsTYZowuff6tC6g0Qvyhzz4OzoRpinkhlNuiP0hcSwWuTbLe96vHeCvB
eiBa1sllsr2YaJCgVNTcUkCwT0yyy9/bl51/SFqAPB37EWarGyYYUUXv8C7yQ0q7
zEJaWSCAU0BAsIfcYCNxfy/uaUtR6riY9g4boIDo8+7hKGGjXGouzHWqijU+FZXI
+0qDO9Uc8DUJRe/lOCD6t9+vqUd3Y7C2tBiiEE0yvQevQKD86eWswJzc8qBZTHSy
4FduNWZrN4PSt5odPZH9PDcpD25GKMRY3QHkkSnzismYAwjRi8miDd5UzZn5rzcC
CiCEz41qLe8=
=Z1Yd
-----END PGP SIGNATURE-----