=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN474
_____________________________________________________________________

DATE                : 15/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): MacOS running Adobe Digital Editions versions prior
                                       to 4.5.11.187658.

=====================================================================
https://helpx.adobe.com/security/products/Digital-Editions/apsb21-80.html
_____________________________________________________________________


Last updated on Sep 14, 2021

Security Updates Available for Adobe Digital Editions | APSB21-80

Bulletin ID         Date Published          Priority

APSB20-80           September 14, 2021      3


Summary

Adobe has released a security update for Adobe Digital
Editions. This update resolves one important and multiple
critical vulnerabilities that could result in arbitrary code
execution.    


Affected product versions

Product                     Version                    Platform

Adobe Digital Editions      4.5.11.187646 and below    MacOS


Solution

Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:

Product        Version        Platform       Priority     Availability

Adobe Digital Editions    4.5.11.187658    MacOS     3    Download Page
Note:

    Customers can download the update from the Adobe Digital Editions
download page, or utilize the product’s update mechanism when prompted.


Vulnerability details

Vulnerability Category       Vulnerability Impact     Severity
CVSS base score          CVSS vector        CVE Numbers

Creation of Temporary File in Directory with Incorrect Permissions
(CWE-379)      Privilege Escalation     Important     5.8
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N     CVE-2021-39828

Creation of Temporary File in Directory with Incorrect Permissions
(CWE-379)       Arbitrary file system write      Critical     7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H     CVE-2021-39827

OS Command Injection (CWE-78)    Arbitrary code execution    Critical
8.6     CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H     CVE-2021-39826


Acknowledgments

Adobe would like to thank the following security researchers for
reporting these issues and for working with Adobe to help protect our
customers.      

    CQY of Topsec Alpha Team (yjdfy) (CVE-2021-39828, CVE-2021-39827)
    CFF of Topsec Alpha Team (cff_123) (CVE-2021-39826)

For more information, visit https://helpx.adobe.com/security.html , or
email PSIRT@adobe.com


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================