Adobe Fixes Critical Security Vulnerabilities in Coldfusion

Adobe logo

Adobe released security updates for three vulnerabilities in ColdFusion. Two of these vulnerabilities are rated as Critical as they allow code execution and can bypass access controls. The other is an labeled critical as it allows information disclosure.

The more critical issue is the code execution vulnerability as it could potentially allow for the takeover of a server.

The vulnerabilities details can be seen below:

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Security bypass Information Disclosure Important CVE-2019-8072
Command Injection via Vulnerable component Arbitrary code execution Critical  CVE-2019-8073
Path Traversal Vulnerability Access Control Bypass Critical  CVE-2019-8074

To resolve these vulnerabilities, Adobe suggests that users update to ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12.

These vulnerabilities were found by:

  • Pete Freitag / Foundeo Inc. (https://foundeo.com/) (CVE-2019-8072)
  • Badcode of Knownsec 404 Team (CVE-2019-8073)
  • Daniel Underhay of Aura Information Security (CVE-2019-8074) and special thanks to Ben Reid of Techlegalia Pty. Ltd. and Pete Freitag, Foundeo Inc. (https://foundeo.com/) for their help in the investigation of the issue.  

BleepingComputer was told by Knownsec and Freitag that the vulnerabilities were discovered through their own research and not seen exploited in the wild.