#VU92091 Weak Encoding for Password in ColdFusion


Vulnerability identifier: #VU92091

Vulnerability risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-34113

CWE-ID: CWE-261

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
ColdFusion
Server applications / Application servers

Vendor: Adobe

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to weak encoding for password. A local attacker can retrieve the credentials from another user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ColdFusion: 2021 Update 1 - 2021, 2023 Update 1 - 2023


External links
http://helpx.adobe.com/security/products/coldfusion/apsb24-41.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability