CVE-2024-41874 ColdFusion | Deserialization of Untrusted Data (CWE-502)

2024-09-1309:18:03

CWE-502

adobe

www.cve.org

coldfusion

deserialization vulnerability

arbitrary code execution

user interaction

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

44.7%

JSON

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "ColdFusion",
    "vendor": "Adobe",
    "versions": [
      {
        "lessThanOrEqual": "2021.15",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]