Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available.
The vulnerabilityย identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier).
If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data.
โAn attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,โ aย NIST advisoryย reads.
For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web page creation by enabling communication with back-end systems based on user input, database queries, or other criteria.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobeย said in an advisory released on Monday.
Adobe has assigned the flaw a “Priority 1” severity rating, the highest possible level, due to the โhigher risk of being targeted by exploit(s) in the wild for a given product version and platform.โ
The company has released emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12). It has recommended users install these patches โwithin 72 hoursโ to mitigate any potential security risks associated with thisย critical flaw.
Further, Adobe has suggested that users apply the security configuration settings detailed in theย ColdFusion 2023ย andย ColdFusion 2021 lockdown guides.
While Adobe has yet to confirm any active exploitation of the vulnerability, it has urged users to review the updatedย serial filter documentation to safeguard against insecure WDDX deserialization attacks.