What security updates did Adobe release in October 2024?

Adobe released security updates for multiple products in October 2024, including Adobe Substance 3D Painter, Adobe Commerce & Magento Open Source, Adobe Dimension, Adobe Animate, Adobe InCopy, Adobe FrameMaker, Adobe Lightroom, Adobe InDesign, and Adobe Substance 3D Stager. These updates address various critical vulnerabilities, such as arbitrary code execution, out-of-bounds reads, memory leaks, and more.

What critical vulnerabilities are addressed in Adobe Commerce & Magento Open Source?

Adobe Commerce & Magento Open Source updates address several critical vulnerabilities, including CVE-2024-45115 (CVSS score 9.8) - Improper Authentication allowing privilege escalation, CVE-2024-45148 (CVSS score 8.8) - Improper Authentication allowing security feature bypass, and CVE-2024-45116 (CVSS score 8.1) - Arbitrary code execution. Users are advised to update to the latest versions to mitigate these risks.

What is the critical vulnerability in Adobe Substance 3D Painter?

The critical vulnerability in Adobe Substance 3D Painter is CVE-2024-20787 (CVSS score 5.5), which involves an out-of-bounds read leading to a memory leak. The update affects version 10.0.1 and earlier. Users are recommended to update to version 10.1.0 through the Creative Cloud desktop app.

Which Adobe products had updates for out-of-bounds read vulnerabilities?

Adobe products that received updates for out-of-bounds read vulnerabilities include Adobe FrameMaker, Adobe Lightroom, and Adobe Animate. These updates address memory leak issues that could lead to potential security risks.

Are there any known active exploits for the October 2024 Adobe vulnerabilities?

As of the release of the October 2024 updates, Adobe has not detected any active exploits targeting the vulnerabilities addressed in this month's updates. Users are still advised to apply the updates promptly to mitigate potential risks.

What updates are available for Adobe Dimension?

Adobe Dimension received an update to version 4.0.4, addressing critical vulnerabilities such as CVE-2024-45146 (Use After Free) and CVE-2024-45150 (Out-of-bounds Write), both with a CVSS score of 7.8. These flaws could allow arbitrary code execution. Users are recommended to update to version 4.0.4 via the Creative Cloud desktop app.

Which Adobe product updates are categorized as Priority 2 or Priority 3?

The updates for Adobe Commerce B2B are categorized as Priority 2, while the updates for Adobe Substance 3D Painter, Adobe Commerce, and Magento Open Source (excluding B2B) are categorized as Priority 3. Adobe recommends applying these updates according to the prioritization to ensure security.

Advisory

Adobe releases October 2024 patches for flaws in multiple products, including critical

published: Oct. 9, 2024

Take action: Another very large update release from Adobe. Fortunately, this month no critical flaws in Acrobat/Reader. Prioritize patching of Adobe Commerce & Magento Open Source, then review the rest of the list. Many products carry patches categorized as critical, so a proper review is needed for your organization

Learn More

Adobe released security updates to address multiple vulnerabilities in Adobe software. Both Adobe and CISA encourages users and administrators to review the Adobe Security Bulletins and apply the necessary updates:

Adobe Substance 3D Painter - Adobe has released a security update for Adobe Substance 3D Painter to address CVE-2024-20787 (CVSS score 5.5): Out-of-bounds Read (CWE-125) leading to a memory leak.. The update affects version 10.0.1 and earlier, across all platforms. Adobe has not detected any active exploits targeting this vulnerability. The update is categorized as Priority 3, and users are recommended to update to version 10.1.0 through the Creative Cloud desktop app.
Adobe Commerce & Magento Open Source - Adobe has released updates for Adobe Commerce and Magento Open Source, addressing several critical vulnerabilities. These flaws could enable arbitrary code execution, privilege escalation, security feature bypass, and arbitrary file system read.
- CVE-2024-45115 (CVSS score 9.8) - Improper Authentication allowing privilege escalation.
- CVE-2024-45148 (CVSS score 8.8) - Improper Authentication allowing Security feature bypass
- CVE-2024-45116 (CVSS score 8.1) - enabling arbitrary code execution.
- CVE-2024-45117 (CVSS score 7.6) - Improper Input Validation Arbitrary file system read
- Multiple other lower severity flaws are also patched
- Updates are available for Adobe Commerce versions 2.4.7-p3 and earlier, and Adobe Commerce B2B versions 1.4.2-p3 and earlier. The update is categorized as Priority 2 for B2B and Priority 3 for other versions. Users are advised to install the latest patches.
Adobe Dimension A security update for Adobe Dimension addresses critical vulnerabilities that could lead to arbitrary code execution. The update is for version 4.0.3 and earlier on Windows and macOS platforms. The flaws are categorized as critical even though the CVSS score is high.
- CVE-2024-45146 (CVSS score 7.8) - Use After Free
- CVE-2024-45150 (CVSS score 7.8) -Out-of-bounds Write
- Users are recommended to update to version 4.0.4 via the Creative Cloud desktop app.
Adobe Animate Adobe has released a security update for Adobe Animate, which resolves multiple critical vulnerabilities that could lead to arbitrary code execution and memory leaks. The update affects Animate 2023 version 23.0.7 and earlier, and Animate 2024 version 24.0.4 and earlier, for Windows and macOS. The flaws are categorized as critical even though the CVSS score is high.
- CVE-2024-47410 to CVE-2024-47418 (CVSS score 7.8) - Stack-based Buffer Overflow allowing arbitrary code execution.
- CVE-2024-47419 and CVE-2024-47420 (CVSS score 5.5) - Out-of-bounds Read leading to a memory leak.
- Users should update to versions 23.0.8 and 24.0.5 to mitigate these vulnerabilities.
Adobe InCopy - An update for Adobe InCopy fixes CVE-2024-45136 (CVSS score 7.8) - Unrestricted Upload of File with Dangerous Type related to file uploads, potentially allowing arbitrary code execution. This affects version 19.4 and earlier, as well as 18.5.3 and earlier on Windows and macOS.
Adobe FrameMaker Adobe has released an update for FrameMaker to address multiple critical vulnerabilities CVE-2024-47421 to CVE-2024-47425 (CVSS score 7.8) - Out-of-bounds Read that could result in arbitrary code execution. Affected are the 2020 Release Update 6 and earlier, and the 2022 Release Update 4 and earlier, for Windows.
Adobe Lightroom Adobe has released an update for Adobe Lightroom CVE-2024-45145 (CVSS score 7.8) Out-of-bounds Read to address an important vulnerability that could lead to a memory leak.
- Affected Versions:
  - Lightroom 7.4.1 and earlier (All platforms)
  - Lightroom Classic 13.5 and earlier (All platforms)
  - Lightroom Classic (LTS) 12.5.1 and earlier (All platforms)
- Updated Versions:
  - Lightroom 7.5
  - Lightroom Classic 13.5.1
  - Lightroom Classic (LTS) 12.5.2
Adobe InDesign Adobe released a security update for Adobe InDesign, addressing a critical vulnerability CVE-2024-45137 (CVSS score 7.8) - Unrestricted Upload of File with Dangerous Type that could allow arbitrary code execution.
- Affected Versions:
  - InDesign 19.4 and earlier (Windows and macOS)
  - InDesign 18.5.3 and earlier (Windows and macOS)
- Updated Versions:
  - InDesign 19.5
  - InDesign 18.5.4
Adobe Substance 3D Stager - Adobe has released an update for Adobe Substance 3D Stager, addressing multiple critical vulnerabilities that could allow arbitrary code execution. No known exploits have been reported for these issues.
- CVE-2024-45138 (CVSS score 7.8) - Use After Free
- CVE-2024-45139 (CVSS score 7.8) - Heap-based Buffer Overflow
- CVE-2024-45140 (CVSS score 7.8) - Out-of-bounds Write
- CVE-2024-45152 (CVSS score 7.8) - Out-of-bounds Write
- Affected Versions:
  - Substance 3D Stager 3.0.3 and earlier (Windows and macOS)
- Updated Version:
  - Substance 3D Stager 3.0.4

Adobe releases October 2024 patches for flaws in multiple products, including critical

Read More
Critical Citrix Netscaler "Citrix Bleed 2" flaw actively …
Critical authentication bypass vulnerability reported in Apache Pinot
Maximum severity flaw reported in Fortra's GoAnywhere MFT …
CISA reports active exploitation of Adobe ColdFusion flaw
QNAP patches multible security vulnerabilities in legacy VioStor …