OpenCVE

Creative Cloud version 5.9.1 (and earlier) is affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Adobe	Creative Cloud

Configuration 1 [-]

cpe:2.3:a:adobe:creative_cloud:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2023-03-22T00:00:00

Updated: 2024-08-02T11:46:24.504Z

Reserved: 2023-02-22T00:00:00

Link: CVE-2023-26358

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-22T17:15:15.430

Modified: 2024-11-21T07:51:11.740

Link: CVE-2023-26358

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-26358", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "dateUpdated": "2024-08-02T11:46:24.504Z", "dateReserved": "2023-02-22T00:00:00", "datePublished": "2023-03-22T00:00:00"}, "containers": {"cna": {"title": "Adobe Creative Cloud AdobeExtensionService.exe local privilege escalation vulnerability", "datePublic": "2023-03-14T00:00:00", "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2023-03-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "Creative Cloud version 5.9.1 (and earlier) is affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts."}], "affected": [{"vendor": "Adobe", "product": "Creative Cloud (desktop component)", "versions": [{"version": "unspecified", "lessThanOrEqual": "5.9.1", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "None", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Untrusted Search Path (CWE-426)", "cweId": "CWE-426"}]}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:24.504Z"}, "title": "CVE Program Container", "references": [{"url": "https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:creative_cloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "93D4CF63-5B22-4072-8D56-A394D31E3945", "versionEndExcluding": "5.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Creative Cloud version 5.9.1 (and earlier) is affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts."}], "id": "CVE-2023-26358", "lastModified": "2024-11-21T07:51:11.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "psirt@adobe.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-22T17:15:15.430", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "psirt@adobe.com", "type": "Secondary"}]}