- Adobe fixes flaws found in two versions of ColdFusion
- It warns users to patch as soon as possible as PoC becomes available
- This error can be used to build or overwrite the key
adobe Fixed a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform for building web applications, APIs and software.
The vulnerability, numbered CVE-2024-53961, is described as a path traversal flaw and affects ColdFusion 2021 and 2023 versions.
It has a severity score of 7.4 (high), and according to CWE, it can be used to create or overwrite critical files used to run code, such as programs or libraries.
patch as soon as possible
“An attacker could exploit this vulnerability to access files or directories outside of the restricted directories set by the application,” NIST explains. “This could lead to the disclosure of sensitive information or the manipulation of system data.”
This isn’t theoretical either. according to Computer beepsProof of Concept (PoC) Exploit code Already available.
The publication emphasizes that “Adobe is aware of a known proof-of-concept that CVE-2024-53961 may lead to arbitrary file system read”. The vulnerability was given a “Priority 1” severity rating by the company because it “presents a higher risk of exploitation on a given product version and platform.”
Adobe urges users to apply a given patch immediately, preferably within 72 hours. For ColdFusion 2021, this is update 18; for ColdFusion 2023, this is update 12.
While a PoC is available, it’s unclear whether the vulnerability has actually been abused. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) does not appear to have added it to its Known Exploited Vulnerabilities (KEV) catalog, which may indicate that evidence of abuse has not yet been discovered.
However, cybercriminals know that many organizations are not very diligent when it comes to patching and often prefer to look for known flaws rather than zero-day vulnerabilities. Since the PoC is already available, launching an attack is a walk in the park.
through Computer beeps