Path traversal in ColdFusion - CVE-2022-38418
Published: October 11, 2022 / Updated: October 17, 2022
Vulnerability identifier: #VU68172
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-38418
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ColdFusion
ColdFusion
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to the Application Server endpoint, which listens on TCP port 8500 by default, and read arbitrary files on the system.
Successful vulnerability exploitation may result in full system compromise.
Remediation
Install update from vendor's website.