Adobe fixes ColdFusion arbitrary file read vulnerability
Take action: Time to update your Adobe ColdFusion server. It's not a panic mode update, but since ColdFusion servers are mostly internet facing, it's wise to update.
Learn More
Adobe has fixed a vulnerability in its ColdFusion software, which allows unauthorized file reads on the system. The vulnerability, tracked as CVE-2024-20767 (CVSS score 8.2), is found in the handling of file access permissions within the ColdFusion component identified as `CFIDE/adminapi/_servermanager/servermanager.cfc`.
The exposure posed by CVE-2024-20767 could potentially lead to the disclosure of sensitive information, system configurations, and credentials.
The exploit was facilitated by manipulating the `getHeartBeat` method within the `MonitoringService`, which revealed the UUID of the ColdFusion.monitor.Configuration. This UUID could then be used to access the `PMSGenericServlet` servlet without authentication, allowing attackers to perform actions such as arbitrary file reads or downloading heap dumps, depending on the module parameter set.
Adobe addressed this vulnerability through the security bulletin APSB24-14, released on March 12, 2024. The bulletin lists the affected versions of ColdFusion as all platforms running ColdFusion 2023 Update 6 and earlier, as well as ColdFusion 2021 Update 12 and earlier. Adobe has given this update a priority rating of 3 and urges users to upgrade their installations to the latest versions to mitigate the risk.
To ensure comprehensive security, Adobe also recommends updating the ColdFusion JDK/JRE LTS to the latest update release, as merely applying the ColdFusion update is insufficient for full protection.
