ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

Vendors Products
Adobe
  • Coldfusion

Configuration 1 [-]

OR cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*

No data.

References
Link Providers
https://helpx.adobe.com/security/products/coldfusion/apsb24-71.html cve-icon cve-icon
History

Fri, 13 Sep 2024 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*
cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*

Fri, 13 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
CPEs cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe coldfusion
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Sep 2024 09:30:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.
Title ColdFusion | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2024-09-16T12:56:15.061Z

Reserved: 2024-07-22T17:16:40.944Z

Link: CVE-2024-41874

cve-icon Vulnrichment

Updated: 2024-09-13T13:54:53.231Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-13T10:15:12.447

Modified: 2024-09-13T16:57:52.437

Link: CVE-2024-41874

cve-icon Redhat

No data.