Input validation error in ColdFusion - CVE-2012-0770
Published: March 14, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU44204
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-0770
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
ColdFusion
ColdFusion
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Per: http://cwe.mitre.org/data/definitions/407.html 'CWE-407: Algorithmic Complexity'
How to mitigate CVE-2012-0770
Install update from vendor's website.