Adobe releases software updates to resolve security issues
- Adobe fixes a bug found in two versions of ColdFusion
- It warned users to patch as soon as possible as a PoC is available
- The bug can be used to create or overwrite critical files
Adobe has fixed a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform for building web applications, APIs and software.
The vulnerability, tracked as CVE-2024-53961, is described as a path traversal flaw, affecting ColdFusion versions 2021 and 2023.
It received a severity score of 7.4 (high) and according to CWE it can be used to create or overwrite critical files used to run code, such as programs or libraries.
Patch as soon as possible
“An attacker could exploit this vulnerability to access files or folders located outside the restricted folder set by the application,” NIST explains. “This could lead to the release of sensitive information or the manipulation of system data.”
This is also not theoretical. According to BleepingComputerproof-of-concept (PoC) exploit code is already available.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could lead to an arbitrary file system read,” Adobe said in a security advisory, the publication pointed out. The bug was given a “Priority 1” severity rating by the company because it is “at higher risk of being attacked by exploit(s) in the wild for a given product version and platform.”
Adobe urged users to apply the given patches immediately, preferably within 72 hours. For ColdFusion 2021 it is update 18, and for ColdFusion 2023 it is update 12.
While a PoC is available, there is no word on whether the vulnerability is actually being exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) does not appear to have added it to its Known Exploited Vulnerabilities (KEV) catalogue, which could indicate that evidence of exploitation has not yet been found.
However, cybercriminals know that many organizations are not very diligent when it comes to patches, often preferring to look for known bugs rather than zero-days. And because a PoC is already available, setting up an attack can be a piece of cake.
Via BleepingComputer