cnvd - cnvd-2022-15925

cnvd-2022-15925

Vulnerability from cnvd

Title: Adobe Creative Cloud Desktop不受控制搜索路径元素漏洞

Description:

Adobe Creative Cloud Desktop Application是美国奥多比（Adobe）公司的一套用于在Creative云会员管理中心管理应用程序和服务的应用程序。该程序支持同步和共享文件、管理字体以及访问商业摄影和设计的资产库。

Adobe Creative Cloud Desktop 2.7.0.13及之前版本存在不受控制搜索路径元素漏洞。攻击者可利用该漏洞执行任意代码（受害用户必须下载恶意DLL文件，DLL文件需与安装程序放在同一文件夹中，这使其成为高度复杂的攻击媒介）。

Severity: 中

Patch Name: Adobe Creative Cloud Desktop不受控制搜索路径元素漏洞的补丁

Patch Description:

Adobe Creative Cloud Desktop 2.7.0.13及之前版本存在不受控制搜索路径元素漏洞。攻击者可利用该漏洞执行任意代码（受害用户必须下载恶意DLL文件，DLL文件需与安装程序放在同一文件夹中，这使其成为高度复杂的攻击媒介）。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-23202

Impacted products

Name
Adobe Creative Cloud Desktop <= 2.7.0.13

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23202",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23202"
    }
  },
  "description": "Adobe Creative Cloud Desktop Application\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u5728Creative\u4e91\u4f1a\u5458\u7ba1\u7406\u4e2d\u5fc3\u7ba1\u7406\u5e94\u7528\u7a0b\u5e8f\u548c\u670d\u52a1\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u652f\u6301\u540c\u6b65\u548c\u5171\u4eab\u6587\u4ef6\u3001\u7ba1\u7406\u5b57\u4f53\u4ee5\u53ca\u8bbf\u95ee\u5546\u4e1a\u6444\u5f71\u548c\u8bbe\u8ba1\u7684\u8d44\u4ea7\u5e93\u3002\n\nAdobe Creative Cloud Desktop 2.7.0.13\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4e0d\u53d7\u63a7\u5236\u641c\u7d22\u8def\u5f84\u5143\u7d20\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff08\u53d7\u5bb3\u7528\u6237\u5fc5\u987b\u4e0b\u8f7d\u6076\u610fDLL\u6587\u4ef6\uff0cDLL\u6587\u4ef6\u9700\u4e0e\u5b89\u88c5\u7a0b\u5e8f\u653e\u5728\u540c\u4e00\u6587\u4ef6\u5939\u4e2d\uff0c\u8fd9\u4f7f\u5176\u6210\u4e3a\u9ad8\u5ea6\u590d\u6742\u7684\u653b\u51fb\u5a92\u4ecb\uff09\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-15925",
  "openTime": "2022-03-02",
  "patchDescription": "Adobe Creative Cloud Desktop Application\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u5728Creative\u4e91\u4f1a\u5458\u7ba1\u7406\u4e2d\u5fc3\u7ba1\u7406\u5e94\u7528\u7a0b\u5e8f\u548c\u670d\u52a1\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u652f\u6301\u540c\u6b65\u548c\u5171\u4eab\u6587\u4ef6\u3001\u7ba1\u7406\u5b57\u4f53\u4ee5\u53ca\u8bbf\u95ee\u5546\u4e1a\u6444\u5f71\u548c\u8bbe\u8ba1\u7684\u8d44\u4ea7\u5e93\u3002\r\n\r\nAdobe Creative Cloud Desktop 2.7.0.13\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4e0d\u53d7\u63a7\u5236\u641c\u7d22\u8def\u5f84\u5143\u7d20\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff08\u53d7\u5bb3\u7528\u6237\u5fc5\u987b\u4e0b\u8f7d\u6076\u610fDLL\u6587\u4ef6\uff0cDLL\u6587\u4ef6\u9700\u4e0e\u5b89\u88c5\u7a0b\u5e8f\u653e\u5728\u540c\u4e00\u6587\u4ef6\u5939\u4e2d\uff0c\u8fd9\u4f7f\u5176\u6210\u4e3a\u9ad8\u5ea6\u590d\u6742\u7684\u653b\u51fb\u5a92\u4ecb\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Creative Cloud Desktop\u4e0d\u53d7\u63a7\u5236\u641c\u7d22\u8def\u5f84\u5143\u7d20\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Adobe Creative Cloud Desktop \u003c= 2.7.0.13"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23202",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-18",
  "title": "Adobe Creative Cloud Desktop\u4e0d\u53d7\u63a7\u5236\u641c\u7d22\u8def\u5f84\u5143\u7d20\u6f0f\u6d1e"
}

CVE-2022-23202 (GCVE-0-2022-23202)

Vulnerability from cvelistv5

Published

2022-02-16 16:38

Modified

2025-04-23 19:03

Severity ?

7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-427 - Uncontrolled Search Path Element ()

Summary

Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector.

References

▼	URL	Tags
	https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Adobe	Creative Cloud (desktop component)	Version: unspecified < Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:36:20.175Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23202",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:13:37.205482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:03:15.470Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Creative Cloud (desktop component)",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2.7.0.13",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "None",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-02-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "Uncontrolled Search Path Element (CWE-427)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-16T16:38:29.000Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Adobe Creative Cloud Desktop Uncontrolled Search Path Element Arbitrary code execution",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2022-02-08T23:00:00.000Z",
          "ID": "CVE-2022-23202",
          "STATE": "PUBLIC",
          "TITLE": "Adobe Creative Cloud Desktop Uncontrolled Search Path Element Arbitrary code execution"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Creative Cloud (desktop component)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.7.0.13"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "High",
            "attackVector": "Local",
            "availabilityImpact": "High",
            "baseScore": 7,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "userInteraction": "Required",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Uncontrolled Search Path Element (CWE-427)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html",
              "refsource": "MISC",
              "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2022-23202",
    "datePublished": "2022-02-16T16:38:29.111Z",
    "dateReserved": "2022-01-12T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:03:15.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted