CVE-2022-38423 ColdFusion versions Update 14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory vulnerability. This could result in information disclosure.

In most cases, attackers would be required to have access to the server on which ColdFusion is installed. However, ColdFusion can be installed on a virtual server and remote access can be required to install ColdFusion. In most cases, an attacker would need to have access to the ColdFusion installation to exploit this issue. Update 3 (and earlier) is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction, but does require administrator privileges. Update 3 (and earlier) is also affected by a Cross-site scripting vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction, but does require administrator privileges. Update 4 (and earlier) is affected by a SQL injection vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction, but does require administrator privileges. Update 4 (and earlier) is also affected by a Cross-site scripting vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction, but does require administrator privileges. Update 4 (and earlier) is affected by a Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure

Vulnerability overview

ColdFusion vulnerabilities that affect Update 3 (and earlier) are related to installing the software on a virtual server and remote access is required. Vulnerabilities that affect Update 4 (and earlier) are also related to installing the software on a virtual server and remote access is required.
According to the Security Tracker website, CVE-2022-38423 was first reported on July 5, 2018, with a CVSS v3 base score of 7.0.

Vulnerable code: function doPathTraverse(path) { if ((path.indexOf("/"))!=-1) { // path is a directory path.substring(0, path.lastIndexOf("/")); } else { // path is not a directory path } }

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC

References

• https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38423