Adobe released a critical security update for ColdFusion to address a vulnerability that allows attackers to read arbitrary files.
All about the vulnerability – ColdFusion
This vulnerability allows attackers to potentially access sensitive files by bypassing security restrictions. It’s classified as “Improper Limitation of a Pathname to a Restricted Directory” (CWE-22). The CVSS Base Score for this vulnerability (CVE-2024-53961) is 7.4, indicating a high severity level.
Affected versions include:
| Product | Update Number | Platform |
|---|---|---|
| ColdFusion 2023 | Update 11 and earlier | All |
| ColdFusion 2021 | Update 17 and earlier | All |
This vulnerability can be exploited remotely without requiring user interaction or prior privileges, making it highly dangerous.
Adobe has released updates to address this issue (CVE-2024-53961).
Adobe strongly urges users to install these updates immediately, as they are of the highest priority.
Adobe also recommends upgrading the ColdFusion JDK/JRE to the latest Long-Term Support (LTS) version for enhanced security.
To protect against Wddx deserialization attacks, Adobe updated its security documentation. Users should review the updated guidelines and the ColdFusion Security and Lockdown Guides. Adobe thanks security researcher ma4ter for reporting this vulnerability.
Adobe encourages security researchers to participate in its bug bounty program on HackerOne. To stay protected, users should:
- Implement the updated JVM flags as outlined in the security documentation.
- Regularly review Adobe’s security resources and ColdFusion Lockdown Guides
Adobe’s swift response to CVE-2024-53961 demonstrates its commitment to addressing vulnerabilities promptly.
Users are strongly advised to install the latest updates immediately to secure their systems.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment