Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address a major vulnerability that could lead to an arbitrary file system read.
The identified vulnerability, CVE-2024-53961, has a known proof-of-concept exploit, making the updates crucial for users.
This release underscores Adobe’s commitment to ensuring the security and integrity of its products.
The vulnerability—classified as “Improper Limitation of a Pathname to a Restricted Directory” (CWE-22)—allows attackers to potentially bypass security constraints to access sensitive files.
Given its critical nature, the CVSS Base Score for CVE-2024-53961 stands at 7.4, categorizing it as a high-severity issue.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Affected versions include:
| Product | Update Number | Platform |
|---|---|---|
| ColdFusion 2023 | Update 11 and earlier | All |
| ColdFusion 2021 | Update 17 and earlier | All |
The vulnerability is exploitable remotely without requiring user interaction or prior privileges, significantly heightening its threat potential.
Adobe has released new updates to mitigate the risks associated with CVE-2024-53961:
Adobe urges users to update to the latest versions immediately as these patches are assigned a Priority Rating of “1,” indicating they are of the highest importance.
Additionally, the company recommends upgrading the ColdFusion JDK/JRE to the latest Long-Term Support (LTS) version to further enhance security.
To safeguard systems from insecure Wddx deserialization attacks, Adobe updated its serial filter documentation.
Users are encouraged to review the updated guidelines, along with ColdFusion Security and Lockdown Guides for versions 2023 and 2021.
Adobe has acknowledged security researcher ma4ter for reporting this vulnerability and contributing to the protection of ColdFusion users.
Adobe also highlights its public bug bounty program on HackerOne, inviting external researchers to collaborate on future security issues.
To ensure full compliance and protection, ColdFusion users should:
Adobe’s speedy response to CVE-2024-53961 reaffirms its vigilance in addressing vulnerabilities. Users are strongly encouraged to act immediately to install the latest updates and secure their systems.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES) encryption…
Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in cyber…
In a concerning trend, the frequency of scanning attacks targeting Internet of Things (IoT) devices…
Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…
Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…
Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in…