⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-09-07.

CVE-2009-3960

7 documents6 sources

Severity

6.5MEDIUM

EPSS

90.1%

top 0.41%

CISA KEV

KEVRansomware

Added 2022-03-07

Due 2022-09-07

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Blazeds Adobe Coldfusion Adobe Flex Data Services +2 more

Timeline

PublishedFeb 15

KEV addedMar 7

Latest updateMay 2

KEV dueSep 7

CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDadobe/livecycle_data_services2.5.1, 2.6.1, 3.0+2

▶NVDadobe/flex_data_services2.0.1

▶NVDadobe/livecycle8.0.1, 8.2.1, 9.0+2

▶NVDadobe/blazeds3.2

▶NVDadobe/coldfusion4 versions+3

🔴Vulnerability Details

GHSA

GHSA-5wf6-gpr3-53cq: Unspecified vulnerability in BlazeDS 3↗2022-05-02

▶

CVEList

CVE-2009-3960: Unspecified vulnerability in BlazeDS 3↗2010-02-15

▶

VulnCheck

Adobe BlazeDS Information Disclosure Vulnerability↗2009

▶

💥Exploits & PoCs

Exploit-DB

Adobe (Multiple Products) - XML Injection File Content Disclosure↗2017-04-07

▶

Exploit-DB

Adobe (Multiple Products) - XML External Entity / XML Injection↗2010-02-22

▶

📋Vendor Advisories

CISA

Adobe BlazeDS Information Disclosure Vulnerability↗2022-03-07

▶