Main Vulnerability Database Vulnerabilities #VU11681

Deserialization of untrusted data in ColdFusion - CVE-2018-4939

Published: April 10, 2018 / Updated: February 20, 2022

Vulnerability identifier: #VU11681

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2018-4939

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Adobe

Affected software:
ColdFusion

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on vulnerable system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input, trigger deserialization flaw and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

How to mitigate CVE-2018-4939

Install update from vendor's website.

Sources

https://helpx.adobe.com//security/products/coldfusion/apsb18-14.html

Deserialization of untrusted data in ColdFusion - CVE-2018-4939

Detailed vulnerability description

How to mitigate CVE-2018-4939

Sources

Please verify you're human