Path traversal in ColdFusion - CVE-2022-38418
Published: October 11, 2022 / Updated: October 17, 2022
Vulnerability identifier: #VU68172
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-38418
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
ColdFusion
ColdFusion
Detailed vulnerability description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to the Application Server endpoint, which listens on TCP port 8500 by default, and read arbitrary files on the system.
Successful vulnerability exploitation may result in full system compromise.
How to mitigate CVE-2022-38418
Install update from vendor's website.