CVE-2023-47072: 
Adobe After Effects vulnerability analysis and mitigation

Adobe After Effects versions 24.0.2 (and earlier) and 23.6 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability (CVE-2023-47072). The vulnerability was discovered and reported on July 20, 2023, and publicly disclosed on November 15, 2023. This security flaw specifically affects the parsing of MP4 files in Adobe After Effects running on both Windows and macOS operating systems (ZDI Advisory, NVD).

The vulnerability is classified as an Access of Uninitialized Pointer issue (CWE-824) that occurs during the parsing of MP4 files. The specific flaw exists due to the lack of proper initialization of memory prior to accessing it. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating local access requirements and user interaction for exploitation (ZDI Advisory, NVD).

The vulnerability could lead to the disclosure of sensitive memory information. When successfully exploited, attackers could potentially leverage this vulnerability to bypass security mitigations such as Address Space Layout Randomization (ASLR). The impact is limited to information disclosure, with no direct impact on system integrity or availability (NVD).

Adobe has released security updates to address this vulnerability. Users are advised to update to the latest version of Adobe After Effects. The fix was released as part of the security bulletin APSB23-66 (Adobe Advisory).