Adobe has released security updates for three vulnerabilities in ColdFusion. Two of these vulnerabilities are classified as critical because they allow code execution and can bypass access controls. The other is a tagged review because it allows information disclosure.
The most critical issue is the code execution vulnerability as it could potentially allow a server to be taken over.
Details of the vulnerabilities can be viewed below:
|Vulnerability Category||Impact of vulnerability||Gravity||CVE numbers|
|Security bypass||Disclosure of information||Important||CVE-2019-8072|
|Command injection via a vulnerable component||Execution of arbitrary code||Critical||CVE-2019-8073|
|Path crossing vulnerability||Bypassing access control||Critical||CVE-2019-8074|
To address these vulnerabilities, Adobe suggests users update to ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12.
These vulnerabilities were discovered by:
- Pete Freitag / Foundeo Inc. (https://foundeo.com/) (CVE-2019-8072)
- Badcode of the Knownsec team 404 (CVE-2019-8073)
- Daniel Underhay of Aura Information Security (CVE-2019-8074) and a special thanks to Ben Reid of Techlegalia Pty. Ltd. and Pete Freitag, Foundeo Inc. (https://foundeo.com/) for their assistance in investigating the issue.
Knownsec and Freitag told BleepingComputer that the vulnerabilities were discovered through their own research and had not been exploited in the wild.