Bulletin ID
Security updates available for Adobe Experience Manager | APSB21-39
|
Date Published |
Priority |
---|---|---|
APSB21-39 |
June 08, 2021 |
2 |
Summary
Affected product versions
Product | Version | Platform |
---|---|---|
Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All |
6.5.8.0 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
---|---|---|---|---|
Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All | 2 | Release Notes |
6.5.9.0 |
All |
2 |
AEM 6.5 Service Pack Release Notes |
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.
Vulnerability details
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Number |
|
---|---|---|---|---|---|
Cross-site Scripting (XSS) (CWE-79) |
Arbitrary code execution |
Important |
6.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2021-28625 |
Improper Authorization (CWE-285) |
Application denial-of-service |
Moderate |
3.7 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2021-28626 |
Server-Side Request Forgery (SSRF) (CWE-918) |
Security feature bypass |
Important |
5.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
CVE-2021-28627 |
Cross-site Scripting (XSS) (CWE-79) |
Arbitrary code execution |
Important |
6.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2021-28628 |
Updates to dependencies
Dependency |
Vulnerability Impact |
Affected Versions |
Apache Xerces2 |
Application Denial-of-Service |
AEM CS AEM 6.5.8.0 and earlier |
Apache Sling | Improper Access Control | AEM CS AEM 6.5.8.0 and earlier |
Handlebars.js |
Improper Access Control | AEM CS AEM 6.5.8.0 and earlier |
Uber Jar |
Remote Code Execution | AEM CS AEM 6.5.8.0 and earlier |
jQuery |
Improper Access Control |
AEM CS AEM 6.5.8.0 and earlier |
Eclipse Jetty |
Uncontrolled Resource Consumption | AEM CS AEM 6.5.8.0 and earlier |
Acknowledgments
Adobe would like to thank SignorRossi (CVE-2021-28627) for reporting this issue and for working with Adobe to help protect our customers.
Revisions
June 15, 2021: Updated CVSS vector for CVE-2021-28626.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.