Multiple vulnerabilities in Adobe ColdFusion

Published: 2013-01-04 00:00:00 | Updated: 2017-01-13
Severity Critical
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2013-0632
CVE-2013-0631
CVE-2013-0629
CVE-2013-0625
CVSSv3 9.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C]
4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C]
9.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CWE ID CWE-592
CWE-200
CWE-287
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #2 is being exploited in the wild.
Vulnerability #3 is being exploited in the wild.
Vulnerability #4 is being exploited in the wild.
Vulnerable software ColdFusion
Vulnerable software versions ColdFusion 10.0
ColdFusion 9.0.2
ColdFusion 9.0.1
ColdFusion 9.0
Vendor URL Adobe

Security Advisory

1) Authentication bypass

Description

The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to vulnerable system.

The vulnerability exists due to an error within administrator.cfc. A remote unauthenticated attacker can access Adobe ColdFusion application using a default empty password, login to the RDS component and leverage this session to access administrative web interface.

Successful exploitation of this vulnerability results in unauthorized access to Adobe ColdFusion.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

http://www.adobe.com/support/security/bulletins/apsb13-03.html

2) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper access control. A remote attacker can gain access to important data.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

http://www.adobe.com/support/security/bulletins/apsb13-03.html

3) Authentication bypass

Description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to an error in authentication process, when a password is not configured. A remote unauthenticated attacker can gain unauthorized access to restricted directories.

Successful exploitation of this vulnerability results in unauthorized gaining access to the directories.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

http://www.adobe.com/support/security/bulletins/apsb13-03.html

4) Authentication bypass

Description

The vulnerability allows a remote attacker to bypass authentication and execute arbitrary code on the target system.

The vulnerability exists due to improper authentication, when password is not configured. A remote unauthenticated attacker can bypass authentication process and execute arbitrary code on the target system.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

http://www.adobe.com/support/security/bulletins/apsb13-03.html

Back to List