A vulnerability, which was classified as critical, has been found in Adobe Photoshop CC up to 19.1.8/20.0.5 (Image Processing Software). Affected by this issue is an unknown code block. The manipulation with an unknown input leads to a command injection vulnerability. Using CWE to declare the problem leads to CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

The weakness was disclosed 08/13/2019 as APSB19-44 as confirmed security bulletin (Website). The advisory is shared for download at helpx.adobe.com. This vulnerability is handled as CVE-2019-7968 since 02/12/2019. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1202.

Upgrading to version 19.1.9 or 20.0.6 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 140853, 140854, 140855 and 140856 are pretty similar.

Productinfo

Type

• Image Processing Software

Vendor

• Adobe

Name

• Photoshop CC

Version

• 19.1.0
• 19.1.1
• 19.1.2
• 19.1.3
• 19.1.4
• 19.1.5
• 19.1.6
• 19.1.7
• 19.1.8
• 20.0.0
• 20.0.1
• 20.0.2
• 20.0.3
• 20.0.4
• 20.0.5

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion