Adobe Fixes Critical Vulnerabilities in Several Products

⚡ TL;DR | Go Straight to the Adobe Acrobat (Reader) Vulnerability Report

Adobe has released a series of updates addressing 25 vulnerabilities across 5 products. All of these vulnerabilities received a CVSS base score between 3.5 and 9.1, with 15 of them being critical. Exploitation could lead to a number of problems like arbitrary code execution, privilege escalation, security feature bypass, and memory leak. For your organization, this could result in the loss or even theft of business-critical or sensitive files and data, disruptions in business operation and application failures.

As the vulnerabilities affect several different Adobe products and versions, you can find lists of the affected versions per product below.

Affected Software and Versions

Adobe Acrobat and Reader

In Adobe Acrobat and Reader for Windows and macOS, 7 vulnerabilities were fixed, 3 of which are critical. For these updates, detailed instructions can be found on Adobe’s bulletin.

Product	Track	Affected version	Updated Version
Acrobat DC	Continuous	22.001.20169 and earlier versions	2.200.220.191
Acrobat Reader DC	Continuous	22.001.20169 and earlier versions	2.200.220.191
Acrobat 2020	Classic 2020	20.005.30362 and earlier versions	2.000.530.381
Acrobat Reader 2020	Classic 2020	20.005.30362 and earlier versions	2.000.530.381
Acrobat 2017	Classic 2017	17.012.30249 and earlier versions	1.701.230.262
Acrobat Reader 2017	Classic 2017	17.012.30249 and earlier versions	1.701.230.262

Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.

Adobe Commerce and Magento Open Source

Another 7 vulnerabilities were patched in Adobe Commerce and Magento Open Source for all platforms, 4 critical. However, an attacker would need authentication and admin privileges in order to exploit these vulnerabilities. Still, Adobe recommends that you update your installation to the newest version.

Product	Affected version	Updated Version	Installation Instructions
Adobe Commerce	2.4.3-p2 and earlier versions	2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5	2.4.x release notes 2.3.x release notes
	2.3.7-p3 and earlier versions
Adobe Commerce	2.4.4 and earlier versions
Magento Open Source	2.4.3-p2 and earlier versions	2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
	2.3.7-p3 and earlier versions
Magento Open Source	2.4.4 and earlier versions

Adobe Illustrator

In Adobe Illustrator for Windows and macOS, 4 vulnerabilities were fixed, including 2 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on their help page.

Product	Affected version	Updated Version	Availability
Illustrator 2022	26.3.1 and earlier versions	26.4	Download Page
Illustrator 2021	25.4.6 and earlier versions	25.4.7	Download Page

Adobe FrameMaker

In Adobe Framemaker for Windows, 6 vulnerabilities have been patched, 5 of which were critical. Adobe recommends that you update your installation to the newest version.

Product	Affected version	Updated Versions	Availability
Adobe FrameMaker	2019 Release Update 8 and earlier	FrameMaker v15.0.8 (2019)	Tech note
Adobe FrameMaker	2020 Release Update 4 and earlier	FrameMaker v16.0.4 (2020)	Tech note

Adobe Premiere Elements

1 critical vulnerability was fixed in Adobe Premiere Elements for Windows and macOS that could lead to privilege escalation by the current user. You are advised to download the new installer and upgrade your installation.

Product	Affected version	Updated Versions	Availability
Adobe Premiere Elements	2022 (Version 20.0)	FrameMaker v15.0.8 (2019)2022 (Version 20.0 20220702.Git.main.e4f8578)	Download Center

Discover Vulnerable Devices

Just like we did for the Adobe Acrobat (Reader) vulnerabilities above, you can use Lansweeper to discover any installs of the vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch.

Adobe August 2022 CVE Codes & Categories

CVE number(s)	Vulnerability Category	CVSS base score
CVE-2022-34253	XML Injection (aka Blind XPath Injection) (CWE-91)	9.1
CVE-2022-34254	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)	8.5
CVE-2022-34255	Improper Input Validation (CWE-20)	8.3
CVE-2022-34256	Improper Authorization (CWE-285)	8.2
CVE-2022-34257	Cross-site Scripting (Stored XSS) (CWE-79)	6.1
CVE-2022-34258	Cross-site Scripting (Stored XSS) (CWE-79)	3.5
CVE-2022-34259	Improper Access Control (CWE-284)	5.3
CVE-2022-35665	Use After Free (CWE-416)	7.8
CVE-2022-35666	Improper Input Validation (CWE-20)	7.8
CVE-2022-35667	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-35668	Improper Input Validation (CWE-20)	5.5
CVE-2022-35670	Use After Free (CWE-416)	5.5
CVE-2022-35671	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-35678	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-34260	Out-of-bounds Write (CWE-787)	7.8
CVE-2022-34261	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-34262	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-34263	Use After Free (CWE-416)	7.8
CVE-2022-34264	Out-of-bounds Read (CWE-125)	5.5
CVE-2022-35673	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35674	Out-of-bounds Read (CWE-125)	7.8
CVE-2022-35675	Use After Free (CWE-416)	7.8
CVE-2022-35676	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-35677	Heap-based Buffer Overflow (CWE-122)	7.8
CVE-2022-34235	Uncontrolled Search Path Element (CWE-427)	8.8