Bulletin ID
Last updated on
4 Oct 2022
Security updates available for Adobe Experience Manager | APSB22-40
|
|
Date Published |
Priority |
|---|---|---|
|
APSB22-40 |
September 13, 2022 |
3 |
Summary
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important. Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.
Affected product versions
| Product | Version | Platform |
|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All |
| 6.5.13.0 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All | 3 | Release Notes |
| 6.5.14.0 |
All |
3 |
AEM 6.5 Service Pack Release Notes |
Note:
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Note:
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Number |
|
|---|---|---|---|---|---|
|
Cross-site Scripting (XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30677 |
|
Cross-site Scripting (XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30678 |
|
Cross-site Scripting (XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30680 |
|
Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30681 |
|
Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important |
6.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
CVE-2022-30682 |
|
Violation of Secure Design Principles (CWE-657) |
Security feature bypass |
Important |
5.3 |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-30683 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30684 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30685 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-30686 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-35664 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-34218 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-38438 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2022-38439 |
Updates to dependencies
| Dependency |
Vulnerability Impact |
Affected Versions |
| xmlgraphics |
Privilege escalation | AEM CS AEM 6.5.9.0 and earlier |
| ionetty |
Privilege escalation | AEM CS AEM 6.5.9.0 and earlier |
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
Jim Green (green-jam) --CVE-2022-30677, CVE-2022-30678, CVE-2022-30680, CVE-2022-30681, CVE-2022-30682, CVE-2022-30683, CVE-2022-30684, CVE-2022-30685, CVE-2022-30686, CVE-2022-35664, CVE-2022-34218, CVE-2022-38438, CVE-2022-38439
Revisions
September 21, 2022 - Added CVE details for CVE-2022-38438 and CVE-2022-38439
December 14th, 2021: Updated acknowledgment for CVE-2021-43762
December 16, 2021: Corrected priority level of bulletin to 2
December 29, 2021: Updated acknowledgement for CVE-2021-40722
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.