Adobe ColdFusion Vulnerable to Improper Access Control
CVE-2024-20767
Key Information:
- Vendor
- Adobe
- Status
- Vendor
- CVE Published:
- 18 March 2024
Badges
What is CVE-2024-20767?
CVE-2024-20767 is a vulnerability found in Adobe ColdFusion, a widely-used web application development platform that enables the building of dynamic websites and web applications. This particular vulnerability arises from improper access control, which could allow attackers to gain unauthorized access to sensitive files within the system. If left unaddressed, it poses a severe threat to organizations that utilize ColdFusion for their web applications, as it could lead to the exposure or modification of critical data simply by having the admin panel exposed to the Internet.
Technical Details
The vulnerability affects multiple versions of Adobe ColdFusion, specifically versions 2023.6 and 2021.12, as well as earlier releases. It involves improper management of access controls, which means that an attacker could potentially read arbitrary files on the filesystem without needing user interaction. The risks associated with the exploitation increase significantly when the admin panel is accessible publicly on the internet, providing a straightforward entry point for malicious actors to exploit this oversight.
Impact of the Vulnerability
-
Unauthorized File Access: The primary concern is that attackers can read restricted files that should be off-limits. This can lead to the disclosure of sensitive information, customer data, or proprietary business documents.
-
Information Manipulation: Beyond just reading files, the vulnerability could allow attackers to modify critical files within the system. This could compromise the integrity of the application and lead to further security issues.
-
Increased Attack Surface: With the admin panel exposed to the internet, the risk of exploitation rises markedly, making organizations more susceptible to not only this vulnerability but also additional attacks from other cyber threats, such as ransomware or system compromises.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ColdFusion 0 <= 2021.12
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Security AffairsU.S. CISA adds Microsoft Windows Kernel-Mode Driver and Adobe ColdFusion flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Microsoft Windows Kernel-Mode Driver and Adobe ColdFusion flaws to its Known Exploited Vulnerabilities catalog.
3 weeks ago
The Hacker NewsCISA and FBI Raise Alerts on Exploited Flaws and Expanding HiatusRAT Campaign
CISA adds Adobe ColdFusion and Microsoft Windows flaws to exploited list; FBI warns of HiatusRAT targeting IoT devices.
3 weeks ago
Cyber Security NewsCISA Warns of Adobe & Windows Kernel Driver Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an important warning after adding two critical vulnerabilities.
3 weeks ago
References
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฆ
CISA Reported
- ๐ก
Public PoC available
- ๐
Vulnerability started trending
- ๐ฐ
Used in Ransomware
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by securityonline.info
Vulnerability published
Vulnerability Reserved