- Adobe patches a flaw found in two versions of ColdFusion
- It warned users to patch ASAP, since a PoC is available
- The bug can be used to create or overwrite critical
Adobe has fixed a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform for building web applications, APIs, and software.
The vulnerability, tracked as CVE-2024-53961, is described as a path traversal flaw, affecting ColdFusion versions 2021 and 2023.
It was given a severity score of 7.4 (high) and according to CWE, it can be used to create or overwrite critical files used to run code, such as programs, or libraries.
Patch ASAP
“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application,” NIST explains. “This could lead to the disclosure of sensitive information or the manipulation of system data.”
This isn’t theoretical, either. According to BleepingComputer, proof-of-concept (PoC) exploit code is already available.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said in a security advisory, the publication stressed. The bug was given a “Priority 1” severity rating by the company, as it has “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
Adobe urged users to apply the given patches immediately, preferably within 72 hours. For ColdFusion 2021, that’s Update 18, and for ColdFusion 2023, that’s Update 12.
While a PoC is available, there is no word if the vulnerability is actually being abused in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) doesn’t seem to have added it to its Known Exploited Vulnerabilities (KEV) catalog, which could indicate that the evidence of abuse was not yet found.
However, cybercriminals know that many organizations aren’t very diligent when it comes to patching, and will often rather go for known flaws, instead of looking for zero-days. And with a PoC already available, mounting an attack could be a walk in the park.
Via BleepingComputer