Main Vulnerability Database Vulnerabilities #VU68178

#VU68178 Path traversal in ColdFusion - CVE-2022-38423

Published: October 11, 2022 / Updated: October 17, 2022

Vulnerability identifier: #VU68178

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-38423

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ColdFusion

Software vendor:
Adobe

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request to the Application Server endpoint, which listens on TCP port 8500 by default, and read arbitrary files on the system.

Remediation

Install update from vendor's website.

External links

https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html
https://www.zerodayinitiative.com/advisories/ZDI-22-1420/