Adobe Fixes ColdFusion Hole

Tuesday, March 5, 2019 @ 06:03 PM gHale

Adobe released updates to address a security vulnerability in ColdFusion where an attacker could exploit this vulnerability to take control of an affected system.

This vulnerability was detected in exploits out in the industry.

RELATED STORIES
Adobe Issues Acrobat, Reader Fixes
Adobe Clears Zero Day, Multiple Holes
Microsoft Patch Tuesday Fixes Zero Day
Adobe Reader Zero Day Micropatch Released

The vulnerability, which Adobe labeled as critical, is a file upload restriction bypass that could lead to arbitrary code execution. It has a case number of CVE-2019-7816.

The vulnerabilities are in ColdFusion 11 in update 17 and earlier versions, ColdFusion 2016 in update 9 and earlier versions, and ColdFusion 2018 in Update 2 and earlier versions.

This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.



Leave a Reply

You must be logged in to post a comment.