Adobe Experience Manager CVE-2019-16469 Information Disclosure Vulnerability
2020-01-14T00:00:00
ID SMNTC-111479 Type symantec Reporter Symantec Security Response Modified 2020-01-14T00:00:00
Description
Description
Adobe Experience Manager is prone to an information-disclosure vulnerability. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. Adobe Experience Manager 6.5 is vulnerable.
Technologies Affected
Adobe Experience Manager 6.5
Recommendations
Block external access at the network boundary, unless external parties require service.
If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
Updates are available. Please see the references or vendor advisory for more information.
{"id": "SMNTC-111479", "type": "symantec", "bulletinFamily": "software", "title": "Adobe Experience Manager CVE-2019-16469 Information Disclosure Vulnerability", "description": "### Description\n\nAdobe Experience Manager is prone to an information-disclosure vulnerability. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. Adobe Experience Manager 6.5 is vulnerable.\n\n### Technologies Affected\n\n * Adobe Experience Manager 6.5 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2020-01-14T00:00:00", "modified": "2020-01-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111479", "reporter": "Symantec Security Response", "references": ["http://www.adobe.com/in/marketing-cloud/enterprise-content-management/web-cms.html"], "cvelist": ["CVE-2019-16469"], "lastseen": "2020-01-14T22:26:07", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-16469"]}, {"type": "nessus", "idList": ["ADOBE_EXPERIENCE_MANAGER_APSB20-01.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:3DD752D9BB64796659DC752DBB658DF2"]}], "modified": "2020-01-14T22:26:07", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-01-14T22:26:07", "rev": 2}, "vulnersScore": 5.2}, "affectedSoftware": [{"name": "Adobe Experience Manager", "operator": "eq", "version": "6.5"}]}
{"cve": [{"lastseen": "2021-02-02T07:12:54", "description": "Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure.", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-01-15T17:15:00", "title": "CVE-2019-16469", "type": "cve", "cwe": ["CWE-917"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16469"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2019-16469", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16469", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "nessus": [{"lastseen": "2020-12-05T01:13:52", "description": "The version of Adobe Experience Manager installed on the remote host is 6.1.x less than 6.3.3.7, 6.4.x less than\n6.4.7.0, or 6.5.x less than 6.5.4.0. It is, therefore, affected by multiple vulnerabilities that could lead to sensitive\ninformation disclosure, as referenced in the APSB20-01 advisory, including the following:\n\n - A cross-site script inclusion vulnerability that allows remote attackers to disclose sensitive data via \n unspecified means. (CVE-2019-16466)\n\n - A reflected cross-site script vulnerability due to improper validation of user-supplied input before\n returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click\n a specially crafted URL, to execute arbitrary script in a user's browser session. (CVE-2019-16467)\n\n - An expression language injection vulnerability due to improper sanitization of user supplied input that\n allows remote attackers to disclose sensitive information via unspecified means. (CVE-2018-16469)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-12-03T00:00:00", "title": "Adobe Experience Manager 6.1 < 6.3.3.7 / 6.4 < 6.4.7.0 / 6.5 < 6.5.3.0 Multiple Vulnerabilities (APSB20-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16469", "CVE-2019-16469", "CVE-2019-16467", "CVE-2019-16466", "CVE-2019-16468"], "modified": "2020-12-03T00:00:00", "cpe": ["cpe:/a:adobe:experience_manager"], "id": "ADOBE_EXPERIENCE_MANAGER_APSB20-01.NASL", "href": "https://www.tenable.com/plugins/nessus/143468", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143468);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/04\");\n\n script_cve_id(\n \"CVE-2019-16466\",\n \"CVE-2019-16467\",\n \"CVE-2019-16468\",\n \"CVE-2019-16469\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0002\");\n\n script_name(english:\"Adobe Experience Manager 6.1 < 6.3.3.7 / 6.4 < 6.4.7.0 / 6.5 < 6.5.3.0 Multiple Vulnerabilities (APSB20-01)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Adobe Experience Manager installed on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Experience Manager installed on the remote host is 6.1.x less than 6.3.3.7, 6.4.x less than\n6.4.7.0, or 6.5.x less than 6.5.4.0. It is, therefore, affected by multiple vulnerabilities that could lead to sensitive\ninformation disclosure, as referenced in the APSB20-01 advisory, including the following:\n\n - A cross-site script inclusion vulnerability that allows remote attackers to disclose sensitive data via \n unspecified means. (CVE-2019-16466)\n\n - A reflected cross-site script vulnerability due to improper validation of user-supplied input before\n returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click\n a specially crafted URL, to execute arbitrary script in a user's browser session. (CVE-2019-16467)\n\n - An expression language injection vulnerability due to improper sanitization of user supplied input that\n allows remote attackers to disclose sensitive information via unspecified means. (CVE-2018-16469)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://helpx.adobe.com/security/products/experience-manager/apsb20-01.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9d873f10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the recommended update from the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16469\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:experience_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_experience_manager_http_detect.nbin\");\n script_require_keys(\"installed_sw/Adobe Experience Manager\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nport = get_http_port(default:4502);\n\napp = 'Adobe Experience Manager';\n\n# We may not get the version for 6.1 and 6.2, but we should get the Branch - if this is 6.1 or 6.2 we should flag\napp_info = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);\n\nif (app_info['version'] == UNKNOWN_VER && app_info['Branch'] =~ \"^6\\.[12]($|[^0-9])\")\n app_info['version'] = app_info['Branch'];\nelse if (app_info['version'] == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_APP_VER, app);\n\napp_info['parsed_version'] = vcf::parse_version(app_info['version']);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.1', 'fixed_version' : '6.3.3.7' },\n { 'min_version' : '6.4', 'fixed_version' : '6.4.7.0' },\n { 'min_version' : '6.5', 'fixed_version' : '6.5.3.0' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{xss:TRUE}\n);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2020-10-15T22:26:21", "bulletinFamily": "info", "cvelist": ["CVE-2019-16466", "CVE-2019-16467", "CVE-2019-16468", "CVE-2019-16469", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3710", "CVE-2020-3711", "CVE-2020-3712", "CVE-2020-3713", "CVE-2020-3714"], "description": "Adobe has released patches for five critical vulnerabilities in Adobe Illustrator CC, its popular vector graphics editor tool, which if exploited could enable arbitrary code execution.\n\nOverall Adobe patched nine vulnerabilities as part of its regularly-scheduled updates on Tuesday, including five critical ones in Adobe Illustrator CC, and four \u201cimportant\u201d and \u201cmoderate\u201d flaws in Adobe Experience Manager (AEM), its platform for integrated online marketing and web analytics.\n\n\u201cAdobe is not aware of any exploits in the wild for any of the issues addressed in these updates,\u201d according to[ Adobe\u2019s security update](<https://helpx.adobe.com/security/products/illustrator/apsb20-03.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe five critical flaws (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) open Illustrator CC up to a memory-corruption attack, which occurs when the contents of a memory location are modified due to programming errors, ultimately enabling attackers to execute arbitrary code.\n\nThe bugs affect Illustrator CC 2019 for Windows, versions 24.0 and earlier. Adobe users are urged to update to version 24.0.2, in a \u201cpriority 3\u201d update. According to Adobe, a \u201cpriority 3\u201d update \u201cresolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.\u201d\n\nHonggang Ren with Fortinet\u2019s FortiGuard Labs was credited with discovering the flaws. Threatpost has reached out to Fortinet for further technical details.\n\nAdobe also stomped out three \u201cimportant\u201d vulnerabilities and one \u201cmoderate\u201d flaw in AEM. All four flaws could enable sensitive information disclosure. The important-severity flaws include two reflected cross-site scripting glitches (CVE-2019-16466 and CVE-2019-16467) that impact AEM 6.3, 6.4 and 6.5. These flaws enable an attacker to use a web app to send malicious code to a victim.\n\nThe other important-severity flaw is an expression language injection flaw (CVE-2019-16469) affecting AEM 6.5. Expression language injection occurs when attacker-controlled data is entered into an expression language interpreter.\n\nFinally, a moderate-severity user interface injection flaw (CVE-2019-16468) was also fixed, which impacts AEM 6.3, 6.4 and 6.5. The AEM flaws are a \u201cpriority 2\u201d update, meaning they exist in \u201ca product that has historically been at elevated risk.\u201d AEM users can update to the fixed versions, listed below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/14094457/Screen-Shot-2020-01-14-at-9.09.15-AM.png>)\n\nThis month\u2019s Adobe patches were few and far between, particularly [after last month\u2019s December update](<https://threatpost.com/adobe-fixes-critical-acrobat-photoshop-brackets-flaws/150970/>), when Adobe patched 25 CVEs overall across various products, including 17 critical vulnerabilities in Acrobat Reader, Photoshop and Brackets, which could lead to arbitrary code execution if exploited.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "modified": "2020-01-14T15:42:13", "published": "2020-01-14T15:42:13", "id": "THREATPOST:3DD752D9BB64796659DC752DBB658DF2", "href": "https://threatpost.com/adobe-patches-critical-illustrator-cc-flaws/151812/", "type": "threatpost", "title": "Adobe Patches Five Critical Illustrator CC Flaws", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
