Adobe Security Bulletin
Security update available for Adobe Creative Cloud Desktop Application | APSB20-33
Bulletin ID Date Published Priority
APSB20-33 July 14, 2020 2

Summary

Adobe has released a security update for Creative Cloud Desktop Application for Windows. This update addresses critical and important vulnerabilities.  Successful exploitation could lead to arbitrary file system write and privilege escalation in the context of the current user.        

 

Affected versions

Product Affected version Platform
Creative Cloud Desktop Application

5.1 and earlier versions

Windows 

Note:

To check the version of the Adobe Creative Cloud desktop app:

  1. Launch the Creative Cloud desktop app and sign in with your Adobe ID
  2. Click the gear icon and choose Preferences > General  

To check the version of the Adobe Creative Cloud desktop app (5.0 or later):

  1. Launch the Creative Cloud desktop app and sign in with your Adobe ID
  2. Click the Help menu and choose “About Creative Cloud”

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating Availability
Creative Cloud Desktop Application 5.2 Windows 
2 Download Center

The latest Creative Cloud Desktop App installer can be downloaded from the Download Center

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Lack of Exploit Mitigations Privilege escalation
Important 
CVE-2020-9669
Insecure File permissions
Privilege escalation
Important
CVE-2020-9671  
Symlink vulnerability
Privilege escalation
Important
CVE-2020-9670
Symlink vulnerability
Arbitrary file system write
Critical
CVE-2020-9682

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

  • Xavier DANEST – Decathlon (CVE-2020-9671)  
  • Zhongcheng Li(CK01) of Topsec Alpha Team (CVE-2020-9669, CVE-2020-9670, CVE-2020-9682)