Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address a major vulnerability that could lead to an arbitrary file system read.

The identified vulnerability, CVE-2024-53961, has a known proof-of-concept exploit, making the updates crucial for users.

This release underscores Adobe’s commitment to ensuring the security and integrity of its products.

Details of the Vulnerability

The vulnerability—classified as “Improper Limitation of a Pathname to a Restricted Directory” (CWE-22)—allows attackers to potentially bypass security constraints to access sensitive files.

Given its critical nature, the CVSS Base Score for CVE-2024-53961 stands at 7.4, categorizing it as a high-severity issue.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Affected versions include:

Product	Update Number	Platform
ColdFusion 2023	Update 11 and earlier	All
ColdFusion 2021	Update 17 and earlier	All

The vulnerability is exploitable remotely without requiring user interaction or prior privileges, significantly heightening its threat potential.

Adobe has released new updates to mitigate the risks associated with CVE-2024-53961:

Adobe urges users to update to the latest versions immediately as these patches are assigned a Priority Rating of “1,” indicating they are of the highest importance.

Additionally, the company recommends upgrading the ColdFusion JDK/JRE to the latest Long-Term Support (LTS) version to further enhance security.

To safeguard systems from insecure Wddx deserialization attacks, Adobe updated its serial filter documentation.

Users are encouraged to review the updated guidelines, along with ColdFusion Security and Lockdown Guides for versions 2023 and 2021.

Adobe has acknowledged security researcher ma4ter for reporting this vulnerability and contributing to the protection of ColdFusion users.

Adobe also highlights its public bug bounty program on HackerOne, inviting external researchers to collaborate on future security issues.

To ensure full compliance and protection, ColdFusion users should:

1. Implement updated JVM flags as prescribed in the updated security documentation.
2. Regularly review Adobe’s security resources and ColdFusion Lockdown Guides.

Adobe’s speedy response to CVE-2024-53961 reaffirms its vigilance in addressing vulnerabilities. Users are strongly encouraged to act immediately to install the latest updates and secure their systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free