Adobe ColdFusion 9 & 10 code injection vulnerability

2013-05-14T00:00:00
ID VU:113732
Type cert
Reporter CERT
Modified 2013-05-14T00:00:00

Description

Overview

Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.

Description

Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.


Impact

A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.


Solution

Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Adobe| | 05 Apr 2013| 14 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal | 7.7 | E:ND/RL:OF/RC:C
Environmental | 5.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://www.adobe.com/support/security/bulletins/apsb13-13.html>
  • <http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html>
  • <http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html>
  • <http://www.adobe.com/support/security/bulletins/apsb13-03.html>
  • <http://cwe.mitre.org/data/definitions/434.html>

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2013-1389
  • Date Public: 14 May 2013
  • Date First Published: 14 May 2013
  • Date Last Updated: 14 May 2013
  • Document Revision: 18