CVE-2022-38434 Adobe Photoshop versions 22.5.8 and 23.4.2 are affected by a Use After Free vulnerability that could lead to arbitrary code execution in the context of the current user.

An attacker could leverage social engineering to convince a user to open a malicious file or leverage malicious links in email messages. Access to the affected system must be managed by the user either directly through a web-based attack interface or through access via a network.

Adobe is aware of reports that indicate this issue may be exploited through Windows shared folders. Most reports indicate that the shared folder is connected to a privileged account. Users are advised to carefully consider the type of shared folder before connecting it to a system. Details on shared folder protections can be found here.

Vulnerability Details

A remote code execution vulnerability exists in Adobe Reader and Acrobat 2019.1.3 and earlier versions where a maliciously crafted PDF can cause an out of bounds heap memory write that could lead to arbitrary code execution on the targeted system. This issue has been addressed by updating all vulnerable releases of Adobe Reader and Acrobat, including 2019.1.3, with the version updates being available from here
https://www.adobe.com/downloads/product-support#products_2019-1-3

Resolution:

Adobe is aware of reports that indicate this issue may be exploited through Windows shared folders. Most reports indicate that the shared folder is connected to a privileged account. Users are advised to carefully consider the type of shared folder before connecting it to a system. Details on shared folder protections can be found here.
Users should not open or run content from these files as they could have been exploited, while Adobe has already released a patch to resolve this issue which users can install via their software update tool.
The following versions of Adobe Acrobat and Reader have been updated with this patch:
* Adobe Acrobat X (10.1)
* Adobe Acrobat XI (11.0)
* Adobe Reader DC (12.0)
** Acrobat 9 Pro and Pro Extended edition are not affected by this vulnerability and will remain at version 9.6.25

Vulnerability overview

An attacker could use social engineering to manipulate the user into clicking a malicious link or opening a malicious file that would grant unauthorized access to the user's system. The issue can be exploited via Windows shared folders and requires an account with elevated privileges to exploit.

Vulnerability Information

Adobe is releasing this vulnerability information for its customers.
In order to exploit this vulnerability, an attacker would first need to convince the user to open a malicious file or link, such as by following an email message that includes a malicious link. The attacker could also leverage social engineering tactics such as phishing to convince the user to take action. Access to the affected system must be managed by the user either directly through a web-based attack interface or through access via a network.
Details on this issue can be found in the CVE entry below:
CVE-2022-38434

Timeline

Published on: 09/16/2022 18:15:00 UTC
Last modified on: 09/20/2022 18:44:00 UTC

References

• https://helpx.adobe.com/security/products/photoshop/apsb22-52.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38434