Multiple vulnerabilities in Adobe ColdFusion



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2024-34112
CVE-2024-34113
CWE-ID CWE-284
CWE-261
Exploitation vector Network
Public exploit N/A
Vulnerable software
ColdFusion
Server applications / Application servers

Vendor Adobe

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU92090

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-34112

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ColdFusion: 2021 Update 1 - 2023

CPE2.3 External links

http://helpx.adobe.com/security/products/coldfusion/apsb24-41.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Weak Encoding for Password

EUVDB-ID: #VU92091

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-34113

CWE-ID: CWE-261 - Weak Cryptography for Passwords

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to weak encoding for password. A local attacker can retrieve the credentials from another user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ColdFusion: 2021 Update 1 - 2023

CPE2.3
External links

http://helpx.adobe.com/security/products/coldfusion/apsb24-41.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###