Adobe ColdFusion Arbitrary File Read

high Web App Scanning Plugin ID 114259

Language:

Synopsis

Adobe ColdFusion Arbitrary File Read

Description

Adobe ColdFusion prior to versions 2021 Update 13 or 2023 Update 7, suffer from an Improper Access Control vulnerability that could lead to arbitrary file system read. By leveraging this vulnerability, a remote unauthenticated attacker can access to sensitive files and perform arbitrary file system write.

Solution

Upgrade to Adobe ColdFusion versions 2021 Update 13, 2023 Update 7 or later.

See Also

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Plugin Details

Severity: High

ID: 114259

Type: remote

Family: Component Vulnerability

Published: 4/22/2024

Updated: 4/22/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.2

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:N

CVSS Score Source: CVE-2024-20767

CVSS v3

Risk Factor: High

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS Score Source: CVE-2024-20767

Vulnerability Information

CPE: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/12/2024

Vulnerability Publication Date: 3/12/2024

Reference Information

CVE: CVE-2024-20767

CWE: 284

OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6

WASC: Insufficient Authorization

CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578

DISA STIG: APSC-DV-000460, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1

PCI-DSS: 3.2-6.2, 3.2-6.5.8