Adobe has issued updates to address a vulnerability in its ColdFusion software that could allow attackers to read arbitrary files from affected systems.
The flaw, identified as CVE-2024-53961, has a proof-of-concept (PoC) exploit publicly available, heightening the urgency for system administrators to apply the newly released patches.
Details of the Vulnerability
The vulnerability is classified as a Path Traversal issue (CWE-22), with the potential to grant unauthorized attackers arbitrary read access to the file system.
This flaw exists in ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier). The vulnerability has been assigned a CVSS base score of 7.4 (Critical), emphasizing its risk level.
According to Adobe, the attack does not require prior authentication, and minimal attacker interaction is needed.
The company has acknowledged the active presence of a PoC exploit for this vulnerability, raising concerns about its weaponization in real-world attacks.
Affected Versions
The vulnerability affects:
- ColdFusion 2023: Update 11 and earlier versions.
- ColdFusion 2021: Update 17 and earlier versions.
All platforms running the aforementioned versions are impacted.
Adobe has released the following updates to mitigate the vulnerability:
- ColdFusion 2023: Update 12.
- ColdFusion 2021: Update 18.
These updates are categorized as Priority 1, reflecting their critical nature. Users are strongly advised to update their ColdFusion installations immediately via the official Adobe portal.
To further enhance security, Adobe has highlighted updated serial filter documentation as a means of protecting against insecure WDDX deserialization attacks.
Adobe has credited the researcher ma4ter for responsibly disclosing CVE-2024-53961. This collaboration reinforces Adobe’s commitment to working with the security community through its bug bounty program hosted on HackerOne.
With the PoC exploit already in circulation, this critical ColdFusion vulnerability poses a serious threat to users who delay applying the available security patches.
Organizations using affected versions are urged to act promptly to secure their systems and prevent potential breaches.
