Office of the Chief Information Officer

V-063: Adobe ColdFusion Bugs Let Remote Users Gain Access and Obtain Information

January 7, 2013

You are here

PROBLEM:

Adobe ColdFusion Bugs Let Remote Users Gain Access and Obtain Information

PLATFORM:

ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX

ABSTRACT:

Adobe has identified three vulnerabilities affecting ColdFusion for Windows, Macintosh and UNIX

REFERENCE LINKS:

Adobe Security Bulletin APSA13-01
SecurityTracker Alert ID:  1027938
CVE-2013-0625
CVE-2013-0629
CVE-2013-0631 

IMPACT ASSESSMENT:

High

DISCUSSION:

A remote user can bypass authentication and take control of the target system [CVE-2013-0625]. Systems with password protection disabled or with no password set are affected.

A remote user can gain access to restricted directories [CVE-2013-0629]. Systems with password protection disabled or with no password set are affected.

A remote user can obtain potentially sensitive information [CVE-2013-0631]. Versions 9.0, 9.0.1, and 9.0.2 are affected.

IMPACT:

A remote user can gain access to the target system.

A remote user can obtain potentially sensitive information.

SOLUTION:

No solution was available at the time of this entry.  The vendor plans to issue a fix on January 15, 2013.

JC3 Contact:

Voice:Hotline at 1-866-941-2472

World Wide Web: http://energy.gov/cio/services/incident-management

E-mail: circ@jc3.doe.gov

JC3 services are available to JC3-Joint Cybersecurity Coordination Center, and JC3 Contractors.