CVE-2023-26358 Adobe Creative Cloud AdobeExtensionService.exe local privilege escalation vulnerability

2023-03-2200:00:00

CWE-426

adobe

www.cve.org

adobe creative cloud

adobeextensionservice.exe

local privilege escalation

version 5.9.1

untrusted search path vulnerability

unauthorized data access

configuration modification

malicious program execution

CVSS3

8.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

31.8%

JSON

Creative Cloud version 5.9.1 (and earlier) is affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts.

CNA Affected

[
  {
    "vendor": "Adobe",
    "product": "Creative Cloud (desktop component)",
    "versions": [
      {
        "version": "unspecified",
        "lessThanOrEqual": "5.9.1",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "None",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]