About the Vulnerability
Introduction
ColdFusion is an application server; it is also a Web programming language that allows Web applications to communicate with various backend systems. With ColdFusion, you can create dynamic web pages that provide user input, database lookups, time of day, or any other standards you require. ColdFusion pages are composed of standard HTML and its proprietary ColdFusion Markup Language (CFML).
Summary
On December 24, 2024, Sangfor FarSight Labs received notification that an Adobe-ColdFusion component contains information of Arbitrary File Read Vulnerability(CVE-2024-53961), classified as high in threat level.
In the emergency security updates released by Adobe, a critical vulnerability in ColdFusion 2023 and 2021 versions was patched. Attackers could exploit this vulnerability to read arbitrary files from the system, potentially leading to the exposure of sensitive data and configuration files. Note: Adobe has confirmed that the POC for CVE-2024-53961 is already available.
Affected Versions
Adobe ColdFusion 2023 ≤ Update 11
Adobe ColdFusion 2021 ≤ Update 17
Solutions
Official Solution
Secure Versions:
Adobe ColdFusion 2023 Update 12
Adobe ColdFusion 2021 Update 18
The latest version has been officially released to fix the vulnerability. Affected users are recommended to update the version of Adobe ColdFusion to the secure versions and versions above.
Download link:
ColdFusion 2023 : https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-12.html
ColdFusion 2021 : https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-18.html
Timeline
On December 24, 2024, Sangfor FarSight Labs received notification of Adobe ColdFusion Arbitrary File Read Vulnerability.
On December 24, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://helpx.adobe.com/security/products/coldfusion/apsb24-107.html
