Remote code execution in Adobe ColdFusion



Published: 2021-03-22
Risk High
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2021-21087
CWE ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ColdFusion
Server applications / Application servers

Vendor Adobe

Security Advisory

This security advisory describes one high risk vulnerability.

1) Input validation error

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21087

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote non-authenticated attacker can send specially crafted data to the application and execute arbitrary code on the system.


Mitigation

Install updates from vendor's website.

NOTE, Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Please, see the vendor's advisory for details.

Vulnerable software versions

ColdFusion: 2016, 2016 Update 1, 2016 Update 2, 2016 Update 3, 2016 Update 4, 2016 Update 5, 2016 Update 6, 2016 Update 7, 2016 Update 8, 2016 Update 9, 2016 Update 10, 2016 Update 11, 2016 Update 12, 2016 Update 13, 2016 Update 14, 2016 Update 15, 2016 Update 16, 2018 Update 1, 2018 Update 2, 2018 Update 3, 2018 Update 4, 2018 Update 5, 2018 Update 6, 2018 Update 7, 2018 Update 8, 2018 Update 9, 2018 Update 10, 2018.0.0.310739, 2021

CPE External links

https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###