Credentials management in Adobe ColdFusion
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2010-5290 |
| CWE-ID | CWE-255 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ColdFusion Server applications / Application servers |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Credentials management
EUVDB-ID: #VU42544
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-5290
CWE-ID:
CWE-255 - Credentials Management
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which makes it easier for context-dependent attackers to obtain administrative privileges by leveraging read access to the configuration file, a different vulnerability than CVE-2010-2861. The CVSS score reflects previously published information indicating successful exploitation allows SYSTEM access on certain operating systems.
MitigationInstall update from vendor's website.
Vulnerable software versionsColdFusion: 9.0 - 9.0.1
External linkshttp://osvdb.org/97553
http://qualys.immunityinc.com/home/exploitpack/CANVAS/CF_directory_traversal
http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
http://exchange.xforce.ibmcloud.com/vulnerabilities/87740
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
