=====================================================================

                              CERT-Renater

                  Note d'Information No. 2021/VULN596
_____________________________________________________________________

DATE                : 10/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows, macOS running Adobe InCopy versions prior
                                       to 17.0.

=====================================================================
https://helpx.adobe.com/security/products/incopy/apsb21-110.html
_____________________________________________________________________

Last updated on Nov 9, 2021
Security Update Available for Adobe InCopy | APSB21-110

Bulletin ID          Date Published        Priority

APSB21-110           November 9, 2021      3


Summary
Adobe has released a security update for Adobe InCopy.  This update
addresses  critical and important vulnerabilities. Successful
exploitation could lead to arbitrary code execution and application
denial of service.                


Affected versions

Product         Affected version           Platform

Adobe InCopy    16.4 and earlier version   Windows and macOS


Solution
Adobe categorizes these updates with the following priority rating and
recommends users update their software installations via the Creative
Cloud desktop app updater, or by navigating to the InCopy Help menu and
clicking "Updates." For more information, please reference this help
page.


Product   Updated version    Platform     Priority rating   Availability

Adobe InCopy   17.0   Windows and macOS   3               Release Notes


For managed environments, IT administrators can use the Creative Cloud
Packager to create deployment packages. Refer to this help page for more
information.


Vulnerability Details

Vulnerability Category   Vulnerability Impact    Severity
CVSS base score        CVSS vector       CVE Number

Access of Memory Location After End of Buffer (CWE-788)
Arbitrary code execution    Critical    7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H    CVE-2021-43015

NULL Pointer Dereference (CWE-476)    Application denial-of-service
Important    5.5    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-43016


Acknowledgments
Adobe would like to thank the following researchers for reporting this
issue and for working with Adobe to help protect our customers.  

(yjdfy) CQY of Topsec Alpha Team CVE-2021-43015
(hy350) HY350 of Topsec Alpha Team CVE-2021-43016


For more information, visit https://helpx.adobe.com/security.html, or 
email PSIRT@adobe.com.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================