Adobe has issued an emergency security patch to address a critical vulnerability (CVE-2024-53961) affecting ColdFusion versions 2023 and 2021. The flaw, which stems from a path traversal weakness, could allow attackers to read arbitrary files on vulnerable servers.
Key Points:
– A proof-of-concept exploit code exists for the vulnerability
– Adobe has assigned it a “Priority 1” severity rating due to high exploitation risk
– The flaw affects ColdFusion 2021 and 2023 versions
Required Actions:
1. Install emergency patches within 72 hours:
– ColdFusion 2021 Update 18
– ColdFusion 2023 Update 12
2. Implement security configurations as outlined in the respective lockdown guides
3. Review updated serial filter documentation to prevent Wddx deserialization attacks
Security Context:
This vulnerability follows a pattern of serious ColdFusion security issues. In 2023, CISA mandated federal agencies to patch two critical flaws (CVE-2023-29298 and CVE-2023-38205) that were actively exploited. Another critical vulnerability (CVE-2023-26360) was used to compromise government servers from March 2023.
CISA emphasizes that path traversal vulnerabilities remain a significant security concern, potentially exposing sensitive data and credentials that could lead to system breaches.