#VU56825 Path traversal in ColdFusion - CVE-2010-2861
Published: September 22, 2021 / Updated: March 25, 2022
Vulnerability identifier: #VU56825
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2010-2861
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
ColdFusion
ColdFusion
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in CFIDE/administrator/settings/mappings.cfm, logging/settings.cfm, datasources/index.cfm, j2eepackaging/editarchive.cfm, and CFIDE/administrator/enter.cfm scripts. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Remediation
Install update from vendor's website.
External links
- http://securityreason.com/securityalert/8137
- http://securityreason.com/securityalert/8148
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
- http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
- http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07
- https://www.adobe.com/support/security/bulletins/apsb10-05.html