Detections
Analytics
Adobe Animate 22.x < 22.0.0 Multiple Vulnerabilities (APSB21-105)
high Nessus Plugin ID 154435
Language:
Synopsis
Adobe Animate installed on remote Windows host is affected by multiple vulnerabilitiesDescription
The version of Adobe Animate installed on the remote Windows host is prior to 22.0.0. It is, therefore, affected by multiple vulnerabilities as referenced in the apsb21-105 advisory.- Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .psd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. (CVE-2021-40733)
- Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. (CVE-2021-42266, CVE-2021-42267)
- Adobe Animate version 21.0.9 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted FLA file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-42268)
- Adobe Animate version 21.0.9 (and earlier) are affected by a use-after-free vulnerability in the processing of a malformed FLA file that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-42269)
- Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file. (CVE-2021-42270, CVE-2021-42271, CVE-2021-42524)
- Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious GIF file. (CVE-2021-42272)
- Acrobat Animate versions 21.0.9 (and earlier)is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-42525)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Adobe Animate version 22.0.0 or later.See Also
https://helpx.adobe.com/security/products/animate/apsb21-105.html
Plugin Details
Severity: High
ID: 154435
File Name: adobe_animate_apsb21-105.nasl
Version: 1.8
Type: local
Agent: windows
Family: Windows
Published: 10/26/2021
Updated: 10/21/2024
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 6.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2021-42524
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS Score Source: CVE-2021-42269
Vulnerability Information
CPE: cpe:/a:adobe:animate
Required KB Items: SMB/Registry/Enumerated, installed_sw/Adobe Animate
Exploit Ease: No known exploits are available
Patch Publication Date: 10/26/2021
Vulnerability Publication Date: 10/26/2021
Reference Information
CVE: CVE-2021-40733, CVE-2021-42266, CVE-2021-42267, CVE-2021-42268, CVE-2021-42269, CVE-2021-42270, CVE-2021-42271, CVE-2021-42272, CVE-2021-42524, CVE-2021-42525