CVE-2023-26361
📋 TL;DR
This vulnerability allows authenticated administrators in Adobe ColdFusion to read arbitrary files on the server through path traversal. Attackers with admin access can bypass directory restrictions and access sensitive system files. Affects ColdFusion 2018 Update 15 and earlier, and 2021 Update 5 and earlier.
💻 Affected Systems
- Adobe ColdFusion
📦 What is this software?
Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials compromised leading to complete file system enumeration, theft of sensitive configuration files, passwords, source code, and other critical data.
Likely Case
Privileged attacker reads configuration files containing database credentials, API keys, or other sensitive information to enable further attacks.
If Mitigated
Limited to reading files within ColdFusion's accessible directories if proper file permissions are enforced.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once those are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ColdFusion 2018 Update 16, ColdFusion 2021 Update 6
Vendor Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
Restart Required: Yes
Instructions:
1. Download the appropriate update from Adobe's website. 2. Backup your ColdFusion installation. 3. Apply the update using the ColdFusion Administrator or installer. 4. Restart ColdFusion services.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only trusted personnel and implement strong authentication controls.
File System Permissions
linux/windowsSet strict file permissions on sensitive directories outside ColdFusion's web root.
chmod 600 /path/to/sensitive/files (Linux)
icacls "C:\sensitive\files" /deny "ColdFusionUser":(R) (Windows)
🧯 If You Can't Patch
- Implement network segmentation to isolate ColdFusion servers from sensitive systems.
- Enable detailed logging and monitor for unusual file access patterns by admin users.
🔍 How to Verify
Check if Vulnerable:
Check ColdFusion version in Administrator panel or via cfusion/lib/version.txt file.Check Version:
On Linux: cat /opt/coldfusion/cfusion/lib/version.txt | grep 'Version'Verify Fix Applied:
Verify version is 2018 Update 16 or later, or 2021 Update 6 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual file read patterns in ColdFusion logs
- Administrator accessing files outside expected directories
Network Indicators:
- HTTP requests with path traversal patterns (../ sequences) to ColdFusion endpoints
SIEM Query:
source="coldfusion.log" AND ("..\" OR "../") AND (admin OR administrator)