search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Adobe ColdFusion 9 & 10 code injection vulnerability

Vulnerability Note VU#113732

Original Release Date: 2013-05-14 | Last Revised: 2013-05-14

Overview

Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.

Description

Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.

Impact

A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.

Solution

Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.

Vendor Information

113732
Expand all

Adobe

Notified:  April 05, 2013 Updated:  May 14, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.adobe.com/support/security/bulletins/apsb13-13.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 7.7 E:ND/RL:OF/RC:C
Environmental 5.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-1389
Date Public: 2013-05-14
Date First Published: 2013-05-14
Date Last Updated: 2013-05-14 17:32 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.