File Disclosure Vulnerability in Adobe ColdFusion and JRun on Microsoft IIS
CVE-2006-5858

Currently unrated

Key Information:

Vendor: Adobe
Status: Coldfusion; Jrun
Vendor: CVE Published:; 31 December 2006

Summary

Adobe ColdFusion MX 7 up to 7.0.2 and JRun 4, when configured on Microsoft IIS, are susceptible to a security vulnerability that permits unauthorized remote attackers to read arbitrary files. This exploitation can occur through a manipulation involving a double URL-encoded NULL byte in the ColdFusion filename, such as that of a CFM file. Consequently, attackers may gain access to sensitive information, including source code and directory structures.

References

http://www.adobe.com/support/security/bulletins/apsb07-02...

x_refsource_CONFIRM

http://www.securityfocus.com/archive/1/457799/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://secunia.com/advisories/23668

third-party-advisoryx_refsource_SECUNIA

EPSS Score

7% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 31, 2006
Vulnerability Reserved
Nov 10, 2006