CVE-2013-0629
Published: 09 January 2013
Summary
CVE-2013-0629 is a high-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Adobe ColdFusion versions 9.0, 9.0.1, 9.0.2, and 10 are affected by CVE-2013-0629 when no password is configured for the installation. The flaw permits unauthorized access to restricted directories through unspecified vectors and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required authentication or user interaction.
Unauthenticated remote attackers can exploit the condition to read files outside intended web-accessible paths. The vulnerability was observed being exploited in the wild in January 2013.
Adobe addressed the issue in security advisories APSA13-01 and APSB13-03, which provide mitigation guidance and link to the corresponding bulletin APSB13-03 for patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0640
Vulnerability details
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions to block unauthenticated requests to restricted directories when no password is configured.
Requires identification and authentication before granting access, eliminating the unauthenticated directory traversal condition described in the CVE.
Mandates secure baseline configuration settings that would ensure a password is set during ColdFusion installation, closing the reported attack vector.