Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1556
APSB23-20 : Security update available for Adobe Dimension
15 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Dimension
Publisher: Adobe
Operating System: Windows
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2023-26356 CVE-2023-26355 CVE-2023-26354
CVE-2023-26353 CVE-2023-26352 CVE-2023-26351
CVE-2023-26350 CVE-2023-26349 CVE-2023-26348
CVE-2023-26346 CVE-2023-26345 CVE-2023-26344
CVE-2023-26343 CVE-2023-26342 CVE-2023-26341
CVE-2023-26340 CVE-2023-26339 CVE-2023-26338
CVE-2023-26337 CVE-2023-26336 CVE-2023-26335
CVE-2023-26334 CVE-2023-26333 CVE-2023-26332
CVE-2023-26331 CVE-2023-26330 CVE-2023-26329
CVE-2023-26328 CVE-2023-26327 CVE-2023-25907
CVE-2023-25906 CVE-2023-25905 CVE-2023-25904
CVE-2023-25903 CVE-2023-25902 CVE-2023-25901
CVE-2023-25900 CVE-2023-25899 CVE-2023-25898
CVE-2023-25897 CVE-2023-25896 CVE-2023-25895
CVE-2023-25894 CVE-2023-25893 CVE-2023-25892
CVE-2023-25891 CVE-2023-25890 CVE-2023-25889
CVE-2023-25888 CVE-2023-25887 CVE-2023-25886
CVE-2023-25885 CVE-2023-25884 CVE-2023-25883
CVE-2023-25882 CVE-2023-25881 CVE-2023-25880
CVE-2023-25879
Original Bulletin:
https://helpx.adobe.com/security/products/dimension/apsb23-20.html
Comment: CVSS (Max): 7.8 CVE-2023-26337 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Adobe
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security updates available for Dimension | APSB23-20
Bulletin ID Date Published Priority
APSB23-20 March 14, 2023 3
Summary
Adobe has released an update for Adobe Dimension. This update addresses
critical and important vulnerabilities in Adobe Dimension. Successful
exploitation could lead to memory leak and arbitrary code execution in the
context of the current user.
Affected Versions
Product Version Platform
Adobe Dimension 3.4.7 and earlier versions Windows and macOS
Solution
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version via the
Creative Cloud desktop app's update mechanism. For more information, please
reference this help page .
Product Version Platform Priority Availability
Adobe Dimension 3.4.8 Windows and macOS 3 Download Center
For managed environments, IT administrators can use the Admin Console to deploy
Creative Cloud applications to end users. Refer to this help page for more
information.
Vulnerability details
Vulnerability Vulnerability CVSS
Category Impact Severity base CVSS vector CVE Numbers
score
Improper Input Arbitrary CVSS:3.1/AV:L/
Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25879
CWE-20 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25880
) execution S:U/C:H/I:H/A:H
Improper Input Arbitrary CVSS:3.1/AV:L/
Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25881
CWE-20 ) execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25882
( CWE-122 ) execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25883
( CWE-122 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25884
execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25885
( CWE-122 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25886
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25887
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25888
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25889
execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25890
( CWE-122 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25891
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25892
execution S:U/C:H/I:H/A:H
Use After Free ( Arbitrary CVSS:3.1/AV:L/
CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25893
execution S:U/C:H/I:H/A:H
Use After Free ( Arbitrary CVSS:3.1/AV:L/
CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25894
execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25895
( CWE-122 ) execution S:U/C:H/I:H/A:H
Use After Free ( Arbitrary CVSS:3.1/AV:L/
CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25896
execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25897
( CWE-122 ) execution S:U/C:H/I:H/A:H
Heap-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25898
( CWE-122 ) execution S:U/C:H/I:H/A:H
Use After Free ( Arbitrary CVSS:3.1/AV:L/
CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25899
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25900
execution S:U/C:H/I:H/A:H
Improper Input Arbitrary CVSS:3.1/AV:L/
Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25901
CWE-20 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25902
execution S:U/C:H/I:H/A:H
Integer Overflow Arbitrary CVSS:3.1/AV:L/
or Wraparound ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25903
CWE-190 ) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25904
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25905
) execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25906
execution S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25907
execution S:U/C:H/I:H/A:H
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26327
S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26328
) execution S:U/C:H/I:H/A:H
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26329
S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26330
) execution S:U/C:H/I:H/A:H
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26331
S:U/C:H/I:H/A:H
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26332
S:U/C:H/I:H/A:H
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26333
execution S:U/C:H/I:H/A:H
Access of CVSS:3.1/AV:L/
Uninitialized Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26334
Pointer ( S:U/C:H/I:H/A:H
CWE-824 )
Out-of-bounds Arbitrary CVSS:3.1/AV:L/
Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26335
execution S:U/C:H/I:H/A:H
Use After Free ( Arbitrary CVSS:3.1/AV:L/
CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26336
execution S:U/C:H/I:H/A:H
Stack-based Arbitrary CVSS:3.1/AV:L/
Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26337
( CWE-121 ) execution S:U/C:H/I:H/A:H
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26338
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26339
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26340
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26341
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26342
S:U/C:L/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26343
S:U/C:H/I:N/A:N
Access of CVSS:3.1/AV:L/
Uninitialized Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26344
Pointer ( S:U/C:H/I:N/A:N
CWE-824 )
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26345
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26346
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26348
S:U/C:H/I:N/A:N
Use After Free ( CVSS:3.1/AV:L/
CWE-416) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26349
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26350
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26351
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26352
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26353
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26354
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26355
S:U/C:H/I:N/A:N
Out-of-bounds CVSS:3.1/AV:L/
Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26356
S:U/C:H/I:N/A:N
Acknowledgments:
Adobe would like to thank the following researchers for reporting the relevant
issues and for working with Adobe to help protect our customers:
o Mat Powell working with Trend Micro Zero Day Initiative - CVE-2023-25879,
CVE-2023-25880, CVE-2023-25881, CVE-2023-25882, CVE-2023-25883,
CVE-2023-25884, CVE-2023-25885, CVE-2023-25886, CVE-2023-25887,
CVE-2023-25888, CVE-2023-25889, CVE-2023-25890, CVE-2023-25891,
CVE-2023-25892, CVE-2023-25893, CVE-2023-25894, CVE-2023-25895,
CVE-2023-25896, CVE-2023-25900, CVE-2023-25902, CVE-2023-25905,
CVE-2023-25906, CVE-2023-25907, CVE-2023-26327, CVE-2023-26328,
CVE-2023-26329, CVE-2023-26333, CVE-2023-26335, CVE-2023-26338,
CVE-2023-26339, CVE-2023-26340, CVE-2023-26341, CVE-2023-26342,
CVE-2023-26343, CVE-2023-26344, CVE-2023-26345, CVE-2023-26346,
CVE-2023-26348, CVE-2023-26349
o Michael DePlante (@izobashi) working with Trend Micro Zero Day Initiative -
CVE-2023-25897, CVE-2023-25898, CVE-2023-25899, CVE-2023-25901,
CVE-2023-26330, CVE-2023-26331, CVE-2023-26350, CVE-2023-26351,
CVE-2023-26352, CVE-2023-26353, CVE-2023-26354, CVE-2023-26355,
CVE-2023-26356, CVE-2023-26332, CVE-2023-26334, CVE-2023-26336,
o Zero Day Initiative (zdi) - CVE-2023-26337
o Chen Qininying (yjdfy) - CVE-2023-25903, CVE-2023-25904
For more information, visit https://helpx.adobe.com/security.html , or email
PSIRT@adobe.com
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZBFOjskNZI30y1K9AQg/GQ//awiQ4iGIpGgMVVRGx0mP8Mclll3o3WGB
9qVK25tIueBBh5ejYbNflHVVIHSxIAV2XDs2KMoEwWPrkT1XA57En/Qe21+xRUcP
CGIGWTAzoi4VV+rCBoSPZD0OM1l/cggzlw5/t4Bog9Z21eAMbFovc/Qmz8xDhT8q
J9n4h5UI+cjTSkAzgkfaMT+Xfh0j6MgbV+5eeYgQrOPQ+hFvBWBzTY2YFZR5MzMq
8jqrcg1dTYLq4E3CQ8teZTQ5lulm/QoJ8oOOSbbELs9/3uuZVCx+fi4cb3RJieMM
u5b8klZP786xqaikhFyMS1MkcDCftIzdd3essavfJ5ewds82sVwhmV6RjzcO6ApS
QXGw3G+1Y+wkEDBOjKYnmRdtqQxHpGMDL8PECVcHk0aaAiVAoqkG1BUxPtxU0hPv
Lc+8mQfvU3NaOeGjf/XBNYVWrsJMV2WBa+6lumgHcAal9KU8aU7aSeMSiDlcpxA6
16UDz+FBLOPEXdqPRliDxHRgZzm+TSh5bO3Fgkzme5/8+jWZY8Iq94+0qUqsgLEr
P0gqZITUlKvrkFgzd1wEwSfrOgZw82nUnLCpRCxljTY0mlvEdKqcDK8RdAZ32gs/
Ir+4mQWNsrQArXzftHFPpCSKT1Su+aQCjKcgG8Q/1O2ZOwki3Tgo52xuLNTLVjtk
mGflbKHvDBM=
=7XKh
-----END PGP SIGNATURE-----