CVE-2018-15961
Published: 25 September 2018
Summary
CVE-2018-15961 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe ColdFusion versions 2018.0.0.310739 (July 12 release), Update 6 and earlier, and Update 14 and earlier contain an unrestricted file upload vulnerability, identified as CVE-2018-15961 and associated with CWE-434. The affected component permits upload of files without sufficient type or content restrictions on the server.
Remote attackers can exploit the flaw over the network without authentication or user interaction. Successful exploitation results in arbitrary code execution with full impact to confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.
Adobe published security bulletin APSB18-33 to address the issue. Public exploit code for the vulnerability is available on Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-7817
Vulnerability details
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file uploads to enforce allowed types and content, blocking the unrestricted upload vector in ColdFusion.
Requires malicious-code scanning and blocking on all inputs including uploaded files, preventing the arbitrary code execution that follows exploitation of CVE-2018-15961.
Enforces access-control policy on the upload function itself, ensuring only authorized, validated operations can write files to the server.