CVE-2024-53961
Published: 23 December 2024
Summary
CVE-2024-53961 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
ColdFusion versions 2023.11, 2021.17 and earlier contain a path traversal vulnerability (CWE-22) that permits arbitrary file system reads outside an application-restricted directory. The flaw is rated 8.1 under CVSS 3.1 with network attack vector, high complexity, and no required privileges or user interaction, resulting in high impact to confidentiality, integrity, and availability.
An unauthenticated attacker who can reach an exposed ColdFusion admin panel can traverse paths to read sensitive files or alter system data. Exploitation is explicitly conditioned on the administrative interface being accessible from the internet.
The referenced Adobe advisory APSB24-107 at helpx.adobe.com/security/products/coldfusion/apsb24-107.html addresses remediation steps and available patches for the affected ColdFusion releases. The associated EPSS score has remained low and essentially flat since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52216
Vulnerability details
ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access files or…
more
directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data. Exploitation of this issue requires the admin panel be exposed to the internet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.