CVE-2023-26358: 
Adobe Creative Cloud vulnerability analysis and mitigation

Adobe Creative Cloud version 5.9.1 and earlier versions were found to contain an Untrusted Search Path vulnerability. The vulnerability was disclosed on March 14, 2023, and affects Adobe Creative Cloud Desktop applications. This security issue was assigned the identifier CVE-2023-26358 (Adobe Advisory, NVD).

The vulnerability is classified as an Untrusted Search Path vulnerability (CWE-426). It received a CVSS v3.1 base score of 7.8 (High) from NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Adobe Systems assigned it a slightly higher score of 8.6 with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow attackers to execute their own programs, access unauthorized data files, or modify configurations in unexpected ways. The vulnerability occurs when the application uses a search path to locate critical resources such as programs, where an attacker could modify that search path to point to a malicious program, which the targeted application would then execute (NVD).

Adobe has addressed this vulnerability by releasing version 5.10 of Creative Cloud. Users are advised to update their Creative Cloud Desktop application to the latest version to mitigate this security risk (Adobe Advisory).

Adobe acknowledged Will Dormann for reporting the vulnerability (Adobe Advisory).