CVE-2009-3960
Published: 15 February 2010
Summary
CVE-2009-3960 is a medium-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability is an unspecified flaw in BlazeDS versions 3.2 and earlier that is also present in Adobe LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0. It permits remote attackers to obtain sensitive information through specially crafted requests that leverage injected tags and external entity references in XML documents. The issue carries a CVSS score of 6.5 and is tracked without an assigned CWE.
Remote unauthenticated attackers can exploit the flaw over the network by submitting malicious XML content within requests to affected services. Successful exploitation results in unauthorized disclosure of sensitive information from the target system without requiring user interaction.
Adobe has published security bulletin APSB10-05 along with related advisories from Secunia, SecurityTracker, and OSVDB that address remediation steps for the affected products. Organizations are advised to apply the vendor-supplied updates referenced in these bulletins to mitigate exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2009-3931
Vulnerability details
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information…
more
via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of XML input to reject external entity references and injected tags that enable the information disclosure in this CVE.
Enforces information flow policies that block unauthorized exfiltration of sensitive data via malicious XML entity expansion.
Requires prompt application of vendor patches (APSB10-05) that remediate the XXE flaw in BlazeDS/LiveCycle/ColdFusion components.