CVE-2022-38421 — Path Traversal in Adobe Coldfusion

CWE-22 — Path Traversal3 documents3 sources

Severity

7.2HIGHNVD

EPSS

32.0%

top 3.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Coldfusion

Timeline

PublishedOct 14

Latest updateOct 15

Description

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but does require administrator privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5adobe/coldfusionunspecified — CF2021U4+2

▶NVDadobe/coldfusion2018, 2021+1

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-rx5h-9rr9-9679: Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Dire↗2022-10-15

▶

CVEList

Adobe ColdFusion Application Server Directory Traversal Remote Code Execution Vulnerability↗2022-10-14

▶