CVE-2022-39003 Buffer overflow vulnerability in the video framework

CVE-2016-7435 has been assigned to this vulnerability. A list of affected products can be found here. Affected versions include Adobe Coldfusion 9.0.1, Adobe Coldfusion 10, Adobe Coldfusion 11, Adobe Coldfusion 12, Adobe Flex Builder 2.0, Adobe Flex Builder 3.0, and Adobe Premiere Elements 14.0.0 and earlier. A list of fixed versions can be found here.
An attacker can exploit this vulnerability by submitting a malformed URL to a targeted victim. To exploit this vulnerability, an attacker must convince a victim to visit a malicious site or open a malicious email, tricking the victim into clicking a malicious link. If a user is logged into the affected application, the malicious code will be run with the privileges of the logged-in user. An attacker can leverage this vulnerability to execute arbitrary code in the context of the affected application. An attacker can also leverage this vulnerability to obtain sensitive information that can be used to further exploit the application or deliver a malicious payload.

Vulnerability Overview

A vulnerability has been discovered in Adobe ColdFusion and Adobe Flex Builder that could allow an attacker to execute arbitrary code on the system under the control of the user.

Vulnerability overview

This vulnerability occurs when the affected application fails to properly handle malformed URLs.
Affected versions of Adobe Coldfusion 9.0.1, Adobe Coldfusion 10, Adobe Coldfusion 11, Adobe Coldfusion 12, Adobe Flex Builder 2.0, Adobe Flex Builder 3.0, and Adobe Premiere Elements 14.0.0 and earlier have a flaw that could allow an attacker to execute arbitrary code in the context of the affected application.
The malicious code will be run with the privileges of the logged-in user if a user is logged into the application while visiting a malicious site or opening a malicious email.
An attacker can leverage this vulnerability to execute arbitrary code in the context of the affected application and obtain sensitive information that can be used to further exploit the application or deliver a malicious payload.

Vulnerability Details:

A vulnerability has been discovered in Adobe ColdFusion 10.0.0. This issue is caused by the application's failure to properly handle malformed URLs when parsing parameters. A malicious site or email could send a malformed URL that, when parsed by the application, will result in an exploitable buffer overflow condition. An attacker may leverage this vulnerability to execute arbitrary code in the context of the affected application, or obtain sensitive information that can be used to further exploit the application or deliver a malicious payload.

Vulnerability Details

This vulnerability was discovered by CVE Team.
The following table shows the impact to Adobe Coldfusion 9.0.1 and earlier:

-Remote Code Execution
-Information Disclosure
-Security Bypass
-Backdoor Activation
-Denial of Service

Timeline

Published on: 09/16/2022 18:15:00 UTC
Last modified on: 09/21/2022 12:40:00 UTC

References

• https://consumer.huawei.com/en/support/bulletin/2022/9/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39003