Vulnerabilities > CVE-2019-8253 - Out-of-bounds Write vulnerability in Adobe Photoshop CC

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
adobe
CWE-787
nessus
NVD
Published: 2019-12-19
Updated: 2021-09-08

Summary

Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Adobe
9
OS
Apple
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_ADOBE_PHOTOSHOP_APSB19-56.NASL
    descriptionThe version of Adobe Photoshop CC installed on the remote macOS or Mac OS X host is prior to 20.0.8 (2019.0.8), 21.0.2 (2020.0.2). It is, therefore, affected by multiple memory corruption vulnerabilities exist. An attacker can exploit this to execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-21
    modified2019-12-12
    plugin id132021
    published2019-12-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132021
    titleAdobe Photoshop CC 20.x <= 20.0.7 / 21.x <= 21.0.1 Multiple Vulnerabilities (APSB19-56)
    code
    #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132021);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/20");

  script_cve_id("CVE-2019-8253", "CVE-2019-8254");

  script_name(english:"Adobe Photoshop CC 20.x <= 20.0.7 / 21.x <= 21.0.1 Multiple Vulnerabilities (APSB19-56)");

  script_set_attribute(attribute:"synopsis", value:
"Adobe Photoshop installed on remote macOS or Mac OS X host is affected by a multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Adobe Photoshop CC installed on the remote macOS or Mac OS X host is prior to 20.0.8 (2019.0.8), 21.0.2
(2020.0.2). It is, therefore, affected by multiple memory corruption vulnerabilities exist. An attacker can exploit this
to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/photoshop/apsb19-56.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Photoshop CC version 20.0.8 (2019.0.8), 21.0.2 (2020.0.2) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8254");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:photoshop_cc");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_adobe_photoshop_installed.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/Adobe Photoshop");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('Host/MacOSX/Version');

app_info = vcf::get_app_info(app:'Adobe Photoshop');

if ('CC' >!< app_info.name) vcf::vcf_exit(0, 'Only Adobe Photoshop CC is affected.');

constraints = [
  { 'min_version' : '20', 'max_version' : '20.0.7', 'fixed_version' : '20.0.8' },
  { 'min_version' : '21', 'max_version' : '21.0.1', 'fixed_version' : '21.0.2' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
  • NASL familyWindows
    NASL idADOBE_PHOTOSHOP_APSB19-56.NASL
    descriptionThe version of Adobe Photoshop CC installed on the remote Windows host is prior to 20.0.8 (2019.0.8), 21.0.2 (2020.0.2). It is, therefore, affected by multiple unspecified memory corruption vulnerabilities exist. An attacker can exploit this to execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-21
    modified2019-12-12
    plugin id132022
    published2019-12-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132022
    titleAdobe Photoshop CC 20.x <= 20.0.7 / 21.x <= 21.0.1 Multiple Vulnerabilities (APSB19-56)

References