Adobe released a security advisory to address a critical severity vulnerability impacting ColdFusion. Tracked as CVE-2024-53961, the vulnerability may allow attackers to read arbitrary files on vulnerable servers. The vulnerability originates from a path traversal flaw that may lead to providing unauthorized access to attackers and data exposure.
Adobe mentioned in the advisory that they are aware of the public availability of proof-of-concept exploit code for the vulnerability. This marks the importance of the vulnerability and makes it crucial for organizations to patch it. This will reduce the risk of unauthorized access and data exposure. However, there is no evidence of active exploitation of the vulnerability.
Adobe ColdFusion is a commercial rapid web application development computing platform that connects simple HTML pages to a database.
Affected versions
- Adobe ColdFusion 2023 Update 11 and older versions
- Adobe ColdFusion 2021 Update 17 and older versions
Mitigation
Customers must upgrade to the following versions to patch the vulnerability:
- Adobe ColdFusion 2023 Update 12
- Adobe ColdFusion 2021 Update 18
For more information, please refer to the Adobe Security Advisory (APSB24-107).
Qualys Detection
Qualys customers can scan their devices with QID 382611 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com//security/products/coldfusion/apsb24-107.html
