NIST NVD Analysis for Adobe Premiere Rush
A vulnerability analysis of Adobe Premiere Rush using the NIST’s National Vulnerability Database Search and Statistics feature.
--
As someone who enjoys creating and editing videos, Adobe Premiere Rush has become my favorite go-to software product for its ease and accessibility. While Premiere Rush is a part of the Adobe Creative Cloud suite, along with other popular applications such as Photoshop, it can also be used stand-alone. I was curious as to which vulnerabilities, if any, affected this newer product. Using “adobe premiere rush” and “Adobe Premiere Rush” in the NIST NVD keyword text search resulted in 23 recorded vulnerabilities between June 2020 and February 2023. Of the 23 vulnerabilities, about 70% (16 vulnerabilities) have a high CVSS severity rating, 26% (6 vulnerabilities) have a medium rating, and 4% (1 vulnerability) have a low rating (NIST NVD, Adobe Premiere Rush Vulnerabilities Search Results). This analysis uses the V3.1 CVSS severity rating as some V2.0 ratings were unavailable and therefore incomplete.
Below, I have categorized the relevant CVEs by severity rating (low, medium, high), and have grouped by a brief, high-level CVE description.
Low CVSS
access to initialized pointer vulnerability, allows remote attackers to disclose arbitrary data on installs. User interaction needed to exploit this vulnerability:
CVE-2021-43030Medium CVSS
out-of bound read vulnerability; exploitation needs user to open a malicious file ; can lead to information disclosure:
CVE-2022-23204
CVE-2020-9617 null pointer deference vulnerability, application DoS; exploitation needs user interaction:
CVE-2021-43750
CVE-2021-43749
CVE-2021-43748 access to initialized pointer vulnerability, allows remote attackers to disclose arbitrary data on installs. User interaction needed to exploit this vulnerability:
CVE-2021-43746High CVSS
arbitrary code execution; exploitation needs user to open a malicious file:
CVE-2023-22244
CVE-2023-22234 memory corruption vulnerability, arbitrary code execution; user interaction needed to exploit this vulnerability:
CVE-2021-43747
CVE-2021-43029
CVE-2021-43028
CVE-2021-43026
CVE-2021-43025
CVE-2021-43024
CVE-2021-43023
CVE-2021-43022
CVE-2021-43021
CVE-2021-40784
CVE-2021-40783 out of bounds real vulnerability; can lead to information disclosure:
CVE-2020-9657
CVE-2020-9656
CVE-2020-9655
It was interesting to see that there were major similarities between the vulnerabilities affecting Premiere Rush. Vulnerabilities with high and medium CVSS ratings required user interaction, specifically where users open a malicious file, for the exploitation to be successful. Eighty percent of the high CVSS ratings were related to arbitrary code execution or a memory corruption vulnerability. The remaining 20% high CVSS rated vulnerabilities were categorized as “out-of-bounds” read vulnerabilities that, if successful, led to user information disclosure. It was surprising to learn that Adobe Premiere Rush vulnerabilities spiked in 2021, the year after the software was initially released, and then trended down (NIST NVD, Adobe Premiere Rush Statistics Results). With Rush making up a small portion of vulnerabilities affecting Adobe as a whole, it would make sense that more well-known products such as Photoshop, Illustrator, or Creative Cloud are being targeted instead (NIST NVD, Adobe Statistics Results).
The NIST National Vulnerability Database is a website that I was familiar with as I had to use it for previous class. I plan to use it more regularly in my personal life and career as it is extremely valuable when it comes to staying in the know on vulnerabilities affecting software that I own, software that I use at work, and receiving centralized notifications on patches for identified vulnerabilities.