CVE-2022-38424 Adobe ColdFusion Application Server Directory Traversal Arbitrary file system write

2022-10-1100:00:00

CWE-22

adobe

www.cve.org

adobe coldfusion

directory traversal

cve-2022-38424

arbitrary file system write

vulnerability

path traversal

administrator privileges

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.3%

JSON

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could result in arbitrary file system write. Exploitation of this issue does not require user interaction, but does require administrator privileges.

CNA Affected

[
  {
    "vendor": "Adobe",
    "product": "ColdFusion",
    "versions": [
      {
        "version": "unspecified",
        "lessThanOrEqual": "CF2021U4",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "CF2018u14",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "None",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]