DLL Search-Order Hijacking in Adobe ColdFusion Products
CVE-2020-9673

7.8HIGH

Key Information:

Vendor: Adobe
Status: Adobe Coldfusion 2016; Adobe Coldfusion 2018
Vendor: CVE Published:; 17 July 2020

Summary

Adobe ColdFusion versions 2016 and earlier, along with ColdFusion 2018 up to update 9, are susceptible to a DLL search-order hijacking vulnerability. This flaw allows an attacker to potentially exploit the environment, leading to privilege escalation. The vulnerability arises from improper handling of DLLs, which can be manipulated by attackers to execute malicious code. Organizations utilizing these versions of ColdFusion should assess their systems and consider applying updates or mitigations as outlined by Adobe.

Affected Version(s)

Adobe ColdFusion 2016 update 15 and earlier versions

Adobe ColdFusion 2018 update 9 and earlier versions

References

https://helpx.adobe.com/security/products/coldfusion/apsb...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 17, 2020
Vulnerability Reserved
Mar 2, 2020