=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN470
_____________________________________________________________________

DATE                : 15/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows, macOS running Adobe InCopy versions prior
                                         to 16.4.

=====================================================================
https://helpx.adobe.com/security/products/incopy/apsb21-71.html
_____________________________________________________________________


Last updated on Sep 14, 2021

Security Update Available for Adobe InCopy | APSB21-71


Bulletin ID       Date Published         Priority

APSB21-71         September 14, 2021     3


Summary

Adobe has released a security update for Adobe InCopy.  This update
addresses multiple critical vulnerabilities. Successful exploitation
could lead to arbitrary code execution in the context of the current
user.  


Affected versions

Product           Affected version               Platform

Adobe InCopy     16.3.1 and earlier version      macOS

Adobe InCopy     16.3 and earlier version        Windows


Solution

Adobe categorizes these updates with the following priority rating and
recommends users update their software installations via the Creative
Cloud desktop app updater, or by navigating to the InCopy Help menu and
clicking "Updates." For more information, please reference this help
page.


Product    Updated version    Platform    Priority rating   Availability

Adobe InCopy    16.4     Windows  and macOS     3      Release Note 

For managed environments, IT administrators can use the Creative Cloud
Packager to create deployment packages. Refer to this help page for more
information.


Vulnerability Details

Vulnerability Category      Vulnerability Impact     Severity
CVSS base score        CVSS vector       CVE Number

Access of Memory Location After End of Buffer     (CWE-788)
Arbitrary file system write       Critical      8.8
CVSS3.1:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H     CVE-2021-39819

Access of Memory Location After End of Buffer     (CWE-788)
Arbitrary code execution     Critical     7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H    CVE-2021-39818


Acknowledgments

Adobe would like to thank the following researchers for reporting this
issue and for working with Adobe to help protect our customers.  

    CQY of Topsec Alpha Team (yjdfy) (CVE-2021-39818)
    Trung Tính Phạm (CVE-2021-39819)


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================