Overview
Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.
Description
Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability. |
Impact
A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed. |
Solution
Apply an Update Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N |
| Temporal | 7.7 | E:ND/RL:OF/RC:C |
| Environmental | 5.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://www.adobe.com/support/security/bulletins/apsb13-13.html
- http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html
- http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html
- http://www.adobe.com/support/security/bulletins/apsb13-03.html
- http://cwe.mitre.org/data/definitions/434.html
Acknowledgements
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2013-1389 |
| Date Public: | 2013-05-14 |
| Date First Published: | 2013-05-14 |
| Date Last Updated: | 2013-05-14 17:32 UTC |
| Document Revision: | 19 |