Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1556 APSB23-20 : Security update available for Adobe Dimension 15 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Dimension Publisher: Adobe Operating System: Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2023-26356 CVE-2023-26355 CVE-2023-26354 CVE-2023-26353 CVE-2023-26352 CVE-2023-26351 CVE-2023-26350 CVE-2023-26349 CVE-2023-26348 CVE-2023-26346 CVE-2023-26345 CVE-2023-26344 CVE-2023-26343 CVE-2023-26342 CVE-2023-26341 CVE-2023-26340 CVE-2023-26339 CVE-2023-26338 CVE-2023-26337 CVE-2023-26336 CVE-2023-26335 CVE-2023-26334 CVE-2023-26333 CVE-2023-26332 CVE-2023-26331 CVE-2023-26330 CVE-2023-26329 CVE-2023-26328 CVE-2023-26327 CVE-2023-25907 CVE-2023-25906 CVE-2023-25905 CVE-2023-25904 CVE-2023-25903 CVE-2023-25902 CVE-2023-25901 CVE-2023-25900 CVE-2023-25899 CVE-2023-25898 CVE-2023-25897 CVE-2023-25896 CVE-2023-25895 CVE-2023-25894 CVE-2023-25893 CVE-2023-25892 CVE-2023-25891 CVE-2023-25890 CVE-2023-25889 CVE-2023-25888 CVE-2023-25887 CVE-2023-25886 CVE-2023-25885 CVE-2023-25884 CVE-2023-25883 CVE-2023-25882 CVE-2023-25881 CVE-2023-25880 CVE-2023-25879 Original Bulletin: https://helpx.adobe.com/security/products/dimension/apsb23-20.html Comment: CVSS (Max): 7.8 CVE-2023-26337 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Adobe Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Security updates available for Dimension | APSB23-20 Bulletin ID Date Published Priority APSB23-20 March 14, 2023 3 Summary Adobe has released an update for Adobe Dimension. This update addresses critical and important vulnerabilities in Adobe Dimension. Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user. Affected Versions Product Version Platform Adobe Dimension 3.4.7 and earlier versions Windows and macOS Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism. For more information, please reference this help page . Product Version Platform Priority Availability Adobe Dimension 3.4.8 Windows and macOS 3 Download Center For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information. Vulnerability details Vulnerability Vulnerability CVSS Category Impact Severity base CVSS vector CVE Numbers score Improper Input Arbitrary CVSS:3.1/AV:L/ Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25879 CWE-20 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25880 ) execution S:U/C:H/I:H/A:H Improper Input Arbitrary CVSS:3.1/AV:L/ Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25881 CWE-20 ) execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25882 ( CWE-122 ) execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25883 ( CWE-122 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25884 execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25885 ( CWE-122 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25886 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25887 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25888 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25889 execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25890 ( CWE-122 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25891 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25892 execution S:U/C:H/I:H/A:H Use After Free ( Arbitrary CVSS:3.1/AV:L/ CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25893 execution S:U/C:H/I:H/A:H Use After Free ( Arbitrary CVSS:3.1/AV:L/ CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25894 execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25895 ( CWE-122 ) execution S:U/C:H/I:H/A:H Use After Free ( Arbitrary CVSS:3.1/AV:L/ CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25896 execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25897 ( CWE-122 ) execution S:U/C:H/I:H/A:H Heap-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25898 ( CWE-122 ) execution S:U/C:H/I:H/A:H Use After Free ( Arbitrary CVSS:3.1/AV:L/ CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25899 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25900 execution S:U/C:H/I:H/A:H Improper Input Arbitrary CVSS:3.1/AV:L/ Validation ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25901 CWE-20 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25902 execution S:U/C:H/I:H/A:H Integer Overflow Arbitrary CVSS:3.1/AV:L/ or Wraparound ( code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25903 CWE-190 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25904 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25905 ) execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25906 execution S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-25907 execution S:U/C:H/I:H/A:H Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26327 S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26328 ) execution S:U/C:H/I:H/A:H Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26329 S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Write ( CWE-787 code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26330 ) execution S:U/C:H/I:H/A:H Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26331 S:U/C:H/I:H/A:H Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26332 S:U/C:H/I:H/A:H Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26333 execution S:U/C:H/I:H/A:H Access of CVSS:3.1/AV:L/ Uninitialized Memory leak Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26334 Pointer ( S:U/C:H/I:H/A:H CWE-824 ) Out-of-bounds Arbitrary CVSS:3.1/AV:L/ Read ( CWE-125 ) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26335 execution S:U/C:H/I:H/A:H Use After Free ( Arbitrary CVSS:3.1/AV:L/ CWE-416) code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26336 execution S:U/C:H/I:H/A:H Stack-based Arbitrary CVSS:3.1/AV:L/ Buffer Overflow code Critical 7.8 AC:L/PR:N/UI:R/ CVE-2023-26337 ( CWE-121 ) execution S:U/C:H/I:H/A:H Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26338 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26339 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26340 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26341 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26342 S:U/C:L/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26343 S:U/C:H/I:N/A:N Access of CVSS:3.1/AV:L/ Uninitialized Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26344 Pointer ( S:U/C:H/I:N/A:N CWE-824 ) Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26345 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26346 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26348 S:U/C:H/I:N/A:N Use After Free ( CVSS:3.1/AV:L/ CWE-416) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26349 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26350 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26351 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26352 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26353 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26354 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26355 S:U/C:H/I:N/A:N Out-of-bounds CVSS:3.1/AV:L/ Read ( CWE-125 ) Memory leak Important 5.5 AC:L/PR:N/UI:R/ CVE-2023-26356 S:U/C:H/I:N/A:N Acknowledgments: Adobe would like to thank the following researchers for reporting the relevant issues and for working with Adobe to help protect our customers: o Mat Powell working with Trend Micro Zero Day Initiative - CVE-2023-25879, CVE-2023-25880, CVE-2023-25881, CVE-2023-25882, CVE-2023-25883, CVE-2023-25884, CVE-2023-25885, CVE-2023-25886, CVE-2023-25887, CVE-2023-25888, CVE-2023-25889, CVE-2023-25890, CVE-2023-25891, CVE-2023-25892, CVE-2023-25893, CVE-2023-25894, CVE-2023-25895, CVE-2023-25896, CVE-2023-25900, CVE-2023-25902, CVE-2023-25905, CVE-2023-25906, CVE-2023-25907, CVE-2023-26327, CVE-2023-26328, CVE-2023-26329, CVE-2023-26333, CVE-2023-26335, CVE-2023-26338, CVE-2023-26339, CVE-2023-26340, CVE-2023-26341, CVE-2023-26342, CVE-2023-26343, CVE-2023-26344, CVE-2023-26345, CVE-2023-26346, CVE-2023-26348, CVE-2023-26349 o Michael DePlante (@izobashi) working with Trend Micro Zero Day Initiative - CVE-2023-25897, CVE-2023-25898, CVE-2023-25899, CVE-2023-25901, CVE-2023-26330, CVE-2023-26331, CVE-2023-26350, CVE-2023-26351, CVE-2023-26352, CVE-2023-26353, CVE-2023-26354, CVE-2023-26355, CVE-2023-26356, CVE-2023-26332, CVE-2023-26334, CVE-2023-26336, o Zero Day Initiative (zdi) - CVE-2023-26337 o Chen Qininying (yjdfy) - CVE-2023-25903, CVE-2023-25904 For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZBFOjskNZI30y1K9AQg/GQ//awiQ4iGIpGgMVVRGx0mP8Mclll3o3WGB 9qVK25tIueBBh5ejYbNflHVVIHSxIAV2XDs2KMoEwWPrkT1XA57En/Qe21+xRUcP CGIGWTAzoi4VV+rCBoSPZD0OM1l/cggzlw5/t4Bog9Z21eAMbFovc/Qmz8xDhT8q J9n4h5UI+cjTSkAzgkfaMT+Xfh0j6MgbV+5eeYgQrOPQ+hFvBWBzTY2YFZR5MzMq 8jqrcg1dTYLq4E3CQ8teZTQ5lulm/QoJ8oOOSbbELs9/3uuZVCx+fi4cb3RJieMM u5b8klZP786xqaikhFyMS1MkcDCftIzdd3essavfJ5ewds82sVwhmV6RjzcO6ApS QXGw3G+1Y+wkEDBOjKYnmRdtqQxHpGMDL8PECVcHk0aaAiVAoqkG1BUxPtxU0hPv Lc+8mQfvU3NaOeGjf/XBNYVWrsJMV2WBa+6lumgHcAal9KU8aU7aSeMSiDlcpxA6 16UDz+FBLOPEXdqPRliDxHRgZzm+TSh5bO3Fgkzme5/8+jWZY8Iq94+0qUqsgLEr P0gqZITUlKvrkFgzd1wEwSfrOgZw82nUnLCpRCxljTY0mlvEdKqcDK8RdAZ32gs/ Ir+4mQWNsrQArXzftHFPpCSKT1Su+aQCjKcgG8Q/1O2ZOwki3Tgo52xuLNTLVjtk mGflbKHvDBM= =7XKh -----END PGP SIGNATURE-----