⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2018-4939 — Deserialization of Untrusted Data in Adobe Coldfusion

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

50.5%

top 2.14%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Coldfusion

Timeline

PublishedMay 19

KEV addedNov 3

KEV dueMay 3

Latest updateMay 13

CISA Required Action: Apply updates per vendor instructions.

Description

Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDadobe/coldfusion11.0, 2016+1

🔴Vulnerability Details

GHSA

GHSA-p86w-qv2x-rf6j: Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vul↗2022-05-13

▶

CVEList

CVE-2018-4939: Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vul↗2018-05-19

▶

VulnCheck

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability↗2018

▶

📋Vendor Advisories

CISA

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability↗2021-11-03

▶