⚡ TL;DR | Go Straight to the Adobe Acrobat Vulnerability Audit Report
Adobe has released a series of security updates for Adobe Acrobat and Reader, Commerce, Dimension, and XMP Toolkit. The updates address a total of 37 vulnerabilities that range in severity from moderate to critical. Successful exploitation of these vulnerabilities could lead to all kinds of issues like arbitrary code execution, application denial of service, privilege escalation, memory leak, and more. We have added a new report to Lansweeper to help you locate vulnerable installations.
Affected Adobe Software and Fixed Versions
Adobe released updates for 4 of its products: Acrobat and Reader, Commerce, Dimension, and XMP Toolkit. We’ve broken down the updates by product below with an overview of the affected and fixed versions. You can find a full overview of all vulnerabilities addressed below.
Adobe Acrobat and Reader
The updates to Adobe Acrobat and Reader for Windows and macOS are the largest and address 30 vulnerabilities, 16 of which are critical. These vulnerabilities could lead to application denial-of-service, security feature bypass, memory leak, and arbitrary code execution . Detailed update instructions can be found on Adobe’s bulletin.
Product | Track | Affected version | Updated Version |
Acrobat DC | Continuous | 23.003.20244 and earlier versions | 23.003.20269 |
Acrobat Reader DC | Continuous | 23.003.20244 and earlier versions | 23.003.20269 |
Acrobat 2020 | Classic 2020 | 20.005.30467 and earlier versions | 20.005.30516.10516 for Mac 20.005.30514.10514 for Windows |
Acrobat Reader 2020 | Classic 2020 | 20.005.30467 and earlier versions | 20.005.30516.10516 for Mac 20.005.30514.10514 for Windows |
Based on this list of affected products and versions shared by Adobe, we have created a special Lansweeper report that will provide a list of all installations in your environment that could be affected by these vulnerabilities.
Adobe Commerce
3 vulnerabilities were patched in Adobe Commerce and Magento Open Source for all platforms, 1 of which is critical. Successful exploitation of these issues could lead to arbitrary code execution, privilege escalation, and arbitrary file system read. Please note that in the table below, the products marked with an * are available to customers in the extended support program.
Product | Affected version | Updated Version | Installation Instructions |
Adobe Commerce | 2.4.6-p1 and earlier 2.4.5-p3 and earlier 2.4.4-p4 and earlier 2.4.3-ext-3 and earlier* 2.4.2-ext-3 and earlier* 2.4.1-ext-3 and earlier* 2.4.0-ext-3 and earlier* 2.3.7-p4-ext-3 and earlier* | 2.4.6-p2 for 2.4.6 and earlier 2.4.5-p4 for 2.4.5-p3 and earlier 2.4.4-p5 for 2.4.4-p3 and earlier 2.4.3-ext-4 for 2.4.3-ext-2 and earlier* 2.4.2-ext-4 for 2.4.2-ext-2 and earlier* 2.4.1-ext-4 for 2.4.1-ext-2 and earlier* 2.4.0-ext-4 for 2.4.0-ext-2 and earlier* 2.3.7-p4-ext-4 for 2.3.7-p4-ext-2 and earlier* | 2.4.x release notes |
Magento Open Source | 2.4.6-p1 and earlier 2.4.5-p3 and earlier 2.4.4-p4 and earlier | 2.4.6-p2 for 2.4.6 and earlier 2.4.5-p4 for 2.4.5-p3 and earlier 2.4.4-p5 for 2.4.4-p3 and earlier |
Adobe Dimension
In Adobe Dimension for Windows and macOS, 3 vulnerabilities were fixed, including 2 critical ones. Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. You can find more information on their help page.
Product | Affected version | Updated Version | Availability |
Adobe Dimension | 3.4.9 and earlier versions | 3.4.10 | Download center |
Adobe XMP Toolkit SDK
1 more important vulnerability was fixed in Adobe XMP Toolkit SDK for all platforms. Exploitation could lead to application denial of service. Adobe recommends that you update your installation to the newest version.
Product | Affected version | Updated Versions | Availability |
Adobe XMP-Toolkit-SDK | 2022.06 and earlier versions | 2023.07 | Release notes |
Discover Vulnerable Adobe Installations
Just like we did for the Adobe Acrobat (Reader) vulnerabilities above, you can use Lansweeper to discover any installs of the vulnerable Adobe products and versions in your network. This way you have an actionable list of devices and software that might require a patch.
Adobe Security Update August 2023 CVE Codes & Categories
CVE number(s) | Vulnerability Category | CVSS base score |
CVE-2023-29320 | Improper Access Control | 8.6 |
CVE-2023-29299 | Improper Input Validation | 5.6 |
CVE-2023-29303 | Use After Free | 5.5 |
CVE-2023-38222 | Use After Free | 7.8 |
CVE-2023-38223 | Access of Uninitialized Pointer | 7.8 |
CVE-2023-38224 | Use After Free | 7.8 |
CVE-2023-38225 | Use After Free | 7.8 |
CVE-2023-38226 | Access of Uninitialized Pointer | 7.8 |
CVE-2023-38227 | Use After Free | 7.8 |
CVE-2023-38228 | Use After Free | 7.8 |
CVE-2023-38229 | Out-of-bounds Read | 7.8 |
CVE-2023-38230 | Use After Free | 7.8 |
CVE-2023-38231 | Out-of-bounds Write | 7.8 |
CVE-2023-38232 | Out-of-bounds Read | 7.8 |
CVE-2023-38233 | Out-of-bounds Write | 7.8 |
CVE-2023-38234 | Access of Uninitialized Pointer | 7.8 |
CVE-2023-38235 | Out-of-bounds Read | 7.8 |
CVE-2023-38236 | Out-of-bounds Read | 5.5 |
CVE-2023-38237 | Out-of-bounds Read | 5.5 |
CVE-2023-38238 | Use After Free | 4.0 |
CVE-2023-38239 | Out-of-bounds Read | 5.5 |
CVE-2023-38240 | Out-of-bounds Read | 5.5 |
CVE-2023-38241 | Out-of-bounds Read | 5.5 |
CVE-2023-38242 | Out-of-bounds Read | 5.5 |
CVE-2023-38243 | Use After Free | 5.5 |
CVE-2023-38244 | Out-of-bounds Read | 5.5 |
CVE-2023-38245 | Improper Input Validation | 6.1 |
CVE-2023-38246 | Access of Uninitialized Pointer | 7.8 |
CVE-2023-38247 | Out-of-bounds Read | 3.3 |
CVE-2023-38248 | Out-of-bounds Read | 3.3 |
CVE-2023-38207 | CVE-2023-38207 | 5.3 |
CVE-2023-38208 | Improper Neutralization of Special Elements used in an OS Command (‚OS Command Injection‘) | 9.1 |
CVE-2023-38209 | Improper Access Control | 6.5 |
CVE-2023-38211 | Use After Free | 7.8 |
CVE-2023-38212 | Heap-based Buffer Overflow | 7.8 |
CVE-2023-38213 | Out-of-bounds Read | 3.3 |
CVE-2023-38210 | Uncontrolled Resource Consumption | 5.5 |