Adobe Fixes Critical Vulnerabilities in Several Products

Adobe Vulnerability

⚡ TL;DR | Go Straight to the Adobe Acrobat (Reader) Vulnerability Report

Adobe has released a series of updates addressing 25 vulnerabilities across 5 products. All of these vulnerabilities received a CVSS base score between 3.5 and 9.1, with 15 of them being critical. Exploitation could lead to a number of problems like arbitrary code execution, privilege escalation, security feature bypass, and memory leak. For your organization, this could result in the loss or even theft of business-critical or sensitive files and data, disruptions in business operation and application failures.

As the vulnerabilities affect several different Adobe products and versions, you can find lists of the affected versions per product below.

Affected Software and Versions

Adobe Acrobat and Reader

In Adobe Acrobat and Reader for Windows and macOS, 7 vulnerabilities were fixed, 3 of which are critical. For these updates, detailed instructions can be found on Adobe's bulletin.

ProductTrackAffected versionUpdated Version
Acrobat DCContinuous22.001.20169 and earlier versions2.200.220.191
Acrobat Reader DCContinuous22.001.20169 and earlier versions2.200.220.191
Acrobat 2020Classic 202020.005.30362 and earlier versions2.000.530.381
Acrobat Reader 2020Classic 202020.005.30362 and earlier versions2.000.530.381
Acrobat 2017Classic 201717.012.30249 and earlier versions1.701.230.262
Acrobat Reader 2017Classic 201717.012.30249 and earlier versions1.701.230.262

Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.

Adobe Commerce and Magento Open Source

Another 7 vulnerabilities were patched in Adobe Commerce and Magento Open Source for all platforms, 4 critical. However, an attacker would need authentication and admin privileges in order to exploit these vulnerabilities. Still, Adobe recommends that you update your installation to the newest version.

ProductAffected versionUpdated VersionInstallation Instructions
Adobe Commerce2.4.3-p2 and earlier versions2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.52.4.x release notes
2.3.x release notes
2.3.7-p3 and earlier versions
Adobe Commerce2.4.4 and earlier versions
Magento Open Source2.4.3-p2 and earlier versions2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
2.3.7-p3 and earlier versions
Magento Open Source2.4.4 and earlier versions

Adobe Illustrator

In Adobe Illustrator for Windows and macOS, 4 vulnerabilities were fixed, including 2 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism. You can find more information on their help page.

ProductAffected versionUpdated VersionAvailability
Illustrator 202226.3.1 and earlier versions26.4Download Page
Illustrator 202125.4.6 and earlier versions25.4.7Download Page

Adobe FrameMaker

In Adobe Framemaker for Windows, 6 vulnerabilities have been patched, 5 of which were critical. Adobe recommends that you update your installation to the newest version.

ProductAffected versionUpdated VersionsAvailability
Adobe FrameMaker2019 Release Update 8 and earlierFrameMaker v15.0.8 (2019)Tech note
Adobe FrameMaker2020 Release Update 4 and earlierFrameMaker v16.0.4 (2020)Tech note

Adobe Premiere Elements

1 critical vulnerability was fixed in Adobe Premiere Elements for Windows and macOS that could lead to privilege escalation by the current user. You are advised to download the new installer and upgrade your installation.

ProductAffected versionUpdated VersionsAvailability
Adobe Premiere Elements2022 (Version 20.0)FrameMaker v15.0.8 (2019)2022 (Version 20.0 20220702.Git.main.e4f8578)Download Center

Discover Vulnerable Devices

Just like we did for the Adobe Acrobat (Reader) vulnerabilities above, you can use Lansweeper to discover any installs of the vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch.

Adobe August 2022 CVE Codes & Categories

CVE number(s)Vulnerability CategoryCVSS base score
CVE-2022-34253XML Injection (aka Blind XPath Injection) (CWE-91)9.1
CVE-2022-34254Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)8.5
CVE-2022-34255Improper Input Validation (CWE-20)8.3
CVE-2022-34256Improper Authorization (CWE-285)8.2
CVE-2022-34257Cross-site Scripting (Stored XSS) (CWE-79)6.1
CVE-2022-34258Cross-site Scripting (Stored XSS) (CWE-79)3.5
CVE-2022-34259Improper Access Control (CWE-284)5.3
CVE-2022-35665Use After Free (CWE-416)7.8
CVE-2022-35666Improper Input Validation (CWE-20)7.8
CVE-2022-35667Out-of-bounds Write (CWE-787)7.8
CVE-2022-35668Improper Input Validation (CWE-20)5.5
CVE-2022-35670Use After Free (CWE-416)5.5
CVE-2022-35671Out-of-bounds Read (CWE-125)5.5
CVE-2022-35678Out-of-bounds Read (CWE-125)5.5
CVE-2022-34260Out-of-bounds Write (CWE-787)7.8
CVE-2022-34261Out-of-bounds Read (CWE-125)5.5
CVE-2022-34262Out-of-bounds Read (CWE-125)5.5
CVE-2022-34263Use After Free (CWE-416)7.8
CVE-2022-34264Out-of-bounds Read (CWE-125)5.5
CVE-2022-35673Out-of-bounds Read (CWE-125)7.8
CVE-2022-35674Out-of-bounds Read (CWE-125)7.8
CVE-2022-35675Use After Free (CWE-416)7.8
CVE-2022-35676Heap-based Buffer Overflow (CWE-122)7.8
CVE-2022-35677Heap-based Buffer Overflow (CWE-122)7.8
CVE-2022-34235Uncontrolled Search Path Element (CWE-427)8.8
Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.​