Adobe released security updates for three vulnerabilities in ColdFusion. Two of these vulnerabilities are rated as Critical as they allow code execution and can bypass access controls. The other is an labeled critical as it allows information disclosure.
The more critical issue is the code execution vulnerability as it could potentially allow for the takeover of a server.
The vulnerabilities details can be seen below:
|Vulnerability Category||Vulnerability Impact||Severity||CVE Numbers|
|Security bypass||Information Disclosure||Important||CVE-2019-8072|
|Command Injection via Vulnerable component||Arbitrary code execution||Critical||CVE-2019-8073|
|Path Traversal Vulnerability||Access Control Bypass||Critical||CVE-2019-8074|
To resolve these vulnerabilities, Adobe suggests that users update to ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12.
These vulnerabilities were found by:
- Pete Freitag / Foundeo Inc. (https://foundeo.com/) (CVE-2019-8072)
- Badcode of Knownsec 404 Team (CVE-2019-8073)
- Daniel Underhay of Aura Information Security (CVE-2019-8074) and special thanks to Ben Reid of Techlegalia Pty. Ltd. and Pete Freitag, Foundeo Inc. (https://foundeo.com/) for their help in the investigation of the issue.
BleepingComputer was told by Knownsec and Freitag that the vulnerabilities were discovered through their own research and not seen exploited in the wild.