{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-022.pdf" }, "title": "Vulnerabilities in Adobe products", "serial_number": "2024-022", "publish_date": "29-02-2024 17:47:18", "description": "On February 13, 2024, Adobe released two security advisories addressing multiple high severity vulnerabilities in various Adobe products. If exploited, the vulnerabilities would allow an attacker to cause remote arbitrary code execution, remote denial of service, remote code injection or disclosure of sensitive information.
\n", "url_title": "2024-022", "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Adobe products'\nnumber: '2024-022'\nversion: '1.0'\noriginal_date: 'February 13, 2024'\ndate: 'February 29, 2024'\n---\n\n_History:_\n\n* _29/02/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 13, 2024, Adobe released two security advisories addressing multiple high severity vulnerabilities [1, 2] in various Adobe products. If exploited, the vulnerabilities would allow an attacker to cause remote arbitrary code execution, remote denial of service, remote code injection or disclosure of sensitive information.\n\n# Technical Details\n\nAmong all the fixed vulnerabilities, the critical ones, with CVSS scores ranging from 7.8 to 9.1 out of 10, are due to:\n\n- Improper neutralisation of special elements used in an OS command (CVE-2024-20720 - CVSS 9.1);\n- Cross-site scripting (CVE-2024-20719 - CVSS 9.1);\n- Out-of-bounds write (CVE-2024-20726, CVE-2024-20727, CVE-2024-20728 - CVSS 7.8);\n- Use after free (CVE-2024-20729, CVE-2024-20765, CVE-2024-20731 - CVSS 7.8 and CVSS 8.8);\n- Integer overflow or wraparound (CVE-2024-20730 - CVSS 7.8).\n\nIf exploited, these critical vulnerabilities could lead to arbitrary code execution.\n\n# Affected Products\n\n- Adobe Commerce version 2.4.6-x prior to 2.4.6-p4\n- Adobe Commerce version 2.4.5-x prior to 2.4.5-p6\n- Adobe Commerce version 2.4.4-x prior to 2.4.4-p7\n- Adobe Commerce version 2.4.3-x prior to 2.4.3-ext-6\n- Adobe Commerce version 2.4.2-x prior to 2.4.2-ext-6\n- Adobe Commerce version 2.4.1-x prior to 2.4.1-ext-6\n- Adobe Commerce version 2.4.0-x prior to 2.4.0-ext-6\n- Adobe Commerce version 2.3.7-x prior to 2.3.7-p4-ext-6\n- Magento Open Source versions 2.4.6-x prior to 2.4.6-p4\n- Magento Open Source versions 2.4.5-x prior to 2.4.5-p6\n- Magento Open Source versions 2.4.4-x prior to 2.4.4-p7\n- Acrobat DC versions prior to 23.008.20533 on Windows and macOS\n- Acrobat Reader DC versions prior to 23.008.20533 on Windows and macOS\n- Acrobat 2020 versions prior to 20.005.30574 on Windows and macOS\n- Acrobat Reader 2020 versions prior to 20.005.30574 on Windows and macOS\n\n# Recommendations\n\nCERT-EU strongly recommends updating software installations to the latest versions by following the instructions given by the vendor [1,2].\n\n# References\n\n[1] \n\n[2] \n\n[3] ", "content_html": "

History:

  • 29/02/2024 --- v1.0 -- Initial publication

Summary

On February 13, 2024, Adobe released two security advisories addressing multiple high severity vulnerabilities [1, 2] in various Adobe products. If exploited, the vulnerabilities would allow an attacker to cause remote arbitrary code execution, remote denial of service, remote code injection or disclosure of sensitive information.

Technical Details

Among all the fixed vulnerabilities, the critical ones, with CVSS scores ranging from 7.8 to 9.1 out of 10, are due to:

  • Improper neutralisation of special elements used in an OS command (CVE-2024-20720 - CVSS 9.1);
  • Cross-site scripting (CVE-2024-20719 - CVSS 9.1);
  • Out-of-bounds write (CVE-2024-20726, CVE-2024-20727, CVE-2024-20728 - CVSS 7.8);
  • Use after free (CVE-2024-20729, CVE-2024-20765, CVE-2024-20731 - CVSS 7.8 and CVSS 8.8);
  • Integer overflow or wraparound (CVE-2024-20730 - CVSS 7.8).

If exploited, these critical vulnerabilities could lead to arbitrary code execution.

Affected Products

  • Adobe Commerce version 2.4.6-x prior to 2.4.6-p4
  • Adobe Commerce version 2.4.5-x prior to 2.4.5-p6
  • Adobe Commerce version 2.4.4-x prior to 2.4.4-p7
  • Adobe Commerce version 2.4.3-x prior to 2.4.3-ext-6
  • Adobe Commerce version 2.4.2-x prior to 2.4.2-ext-6
  • Adobe Commerce version 2.4.1-x prior to 2.4.1-ext-6
  • Adobe Commerce version 2.4.0-x prior to 2.4.0-ext-6
  • Adobe Commerce version 2.3.7-x prior to 2.3.7-p4-ext-6
  • Magento Open Source versions 2.4.6-x prior to 2.4.6-p4
  • Magento Open Source versions 2.4.5-x prior to 2.4.5-p6
  • Magento Open Source versions 2.4.4-x prior to 2.4.4-p7
  • Acrobat DC versions prior to 23.008.20533 on Windows and macOS
  • Acrobat Reader DC versions prior to 23.008.20533 on Windows and macOS
  • Acrobat 2020 versions prior to 20.005.30574 on Windows and macOS
  • Acrobat Reader 2020 versions prior to 20.005.30574 on Windows and macOS

Recommendations

CERT-EU strongly recommends updating software installations to the latest versions by following the instructions given by the vendor [1,2].

References

[1] https://helpx.adobe.com/security/products/magento/apsb24-03.html

[2] https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

[3] https://blog.talosintelligence.com/vulnerability-roundup-feb-27-2024/

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }