CVE-2013-0631
Published: 09 January 2013
Summary
CVE-2013-0631 is a high-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 contain an unspecified information disclosure vulnerability that can be triggered over the network. The flaw carries a CVSS 3.1 base score of 7.5, reflecting high confidentiality impact with no authentication or user interaction required.
Remote attackers can exploit the weakness to obtain sensitive information from affected servers. Public records indicate the vulnerability was actively exploited in the wild as early as January 2013.
Adobe addressed the issue through security advisories APSA13-01 and APSB13-03, which include mitigation guidance and patch information. The vulnerability is also catalogued by CISA as a known exploited vulnerability, confirming ongoing real-world targeting of unpatched ColdFusion 9 installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0642
Vulnerability details
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sensitive information via unspecified vectors, as exploited in the wild in January 2013.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of Adobe patches (APSB13-03) to eliminate the remote information disclosure flaw in ColdFusion 9.
Boundary protection can restrict network exposure of unpatched ColdFusion servers, blocking the unauthenticated remote vectors used in the January 2013 exploitation.
Explicitly monitors for unauthorized information disclosure attempts that match the high-confidentiality-impact behavior described in CVE-2013-0631.