CVE-2004-2331
published 2004-12-31CVE-2004-2331: ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to…
PriorityP413medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.67%
47.5th percentile
ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| macromedia | coldfusion | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Externally Controlled Reference to a Resource in Another Sphere
mitre_cwe·CVSS 6.5
[MEDIUM] CWE-610 Externally Controlled Reference to a Resource in Another Sphere
CWE-610: Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Modes of Introduction:
Phase: Architecture and Design
Note: COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Common Consequences:
Scope: Confidentiality, Integrity. Impact: Read Application Data, Modify Application Data. An adversary could read or modify data, depending on how the resource is intended to be used.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing
CWE
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
mitre_cwe
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on th
http://secunia.com/advisories/10743/http://www.macromedia.com/devnet/security/security_zone/mpsb04-01.htmlhttp://www.securityfocus.com/bid/9521https://exchange.xforce.ibmcloud.com/vulnerabilities/14984http://secunia.com/advisories/10743/http://www.macromedia.com/devnet/security/security_zone/mpsb04-01.htmlhttp://www.securityfocus.com/bid/9521https://exchange.xforce.ibmcloud.com/vulnerabilities/14984
2004-12-31
Published