CVE-2022-38422 ColdFusion versions Update 14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory vulnerability. This could result in information disclosure.

If a remote attacker is able to launch a successful man-in-the-middle attack, and if the user has enabled remote file access, then this issue could be exploited to view sensitive information or to modify the file system. Adobe recommends monitoring for signs of suspicious activity, disabling remote file access for the affected component, updating to the latest version of ColdFusion, and enforcing very restrictive network access to the affected component. Adobe has released updates to address this issue. Update 14 and earlier versions are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction.If a remote attacker is able to launch a successful man-in-the-middle attack, and if the user has enabled remote file access, then this issue could be exploited to view sensitive information or to modify the file system. Adobe recommends monitoring for signs of suspicious activity, disabling remote file access for the affected component, updating to the latest version of ColdFusion, and enforcing very restrictive network access to the affected component. Adobe has released updates to address this issue. Update 14 and earlier versions are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure

References

- https://www.adobe.com/support/securitybulletins/apsb14-02.html
- https://www.adobe.com/products/coldfusion/whatsnew.html

Adobe has released updates to address this issue, which was primarily found on Adobe ColdFusion servers and will affect software versions as far back as Update 14 and earlier versions of ColdFusion. This vulnerability could be exploited when a remote attacker is able to launch a successful man-in-the-middle attack, and if the user has enabled remote file access, then this issue could be exploited to view sensitive information or to modify the file system.

CVE-2023-38423

If a remote attacker is able to launch a successful man-in-the-middle attack, and if the user has enabled remote file access, then this issue could be exploited to view sensitive information or to modify the file system. Adobe recommends monitoring for signs of suspicious activity, disabling remote file access for the affected component, updating to the latest version of ColdFusion, and enforcing very restrictive network access to the affected component. Adobe has released updates to address this issue. Update 14 and earlier versions are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction.If a remote attacker is able to launch a successful man-in-the-middle attack, and if the user has enabled remote file access, then this issue could be exploited to view sensitive information or to modify the file system. Adobe recommends monitoring for signs of suspicious activity, disabling remote file access for the affected component, updating to the latest version of ColdFusion, and enforcing very restrictive network access to the affected component. Adobe has released updates to address this issue. Update 14 and earlier versions are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure

Vulnerability Description

A remote user can gain access to sensitive information or modify the file system by performing a man-in-the-middle attack.
If Adobe ColdFusion is enabled for remote file access, then this issue could be exploited to view sensitive information or to modify the file system.

Products and Versions Affected

ColdFusion 11.0.2 and earlier
ColdFusion 10.0.3 and earlier
ColdFusion 9.0.1 and earlier

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC

References