Code Injection in Adobe ColdFusion



Published: 2012-06-13 | Updated: 2020-08-11
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2012-2041
CWE-ID CWE-94
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		ColdFusion
Server applications / Application servers

Vendor Adobe

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Code Injection

EUVDB-ID: #VU44001

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-2041

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

CRLF injection vulnerability in the Component Browser in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ColdFusion: 8.0 - 9.0

External links

http://www.adobe.com/support/security/bulletins/apsb12-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###