CVE-2024-34112

7.5 HIGH

Authentication Bypass

📋 TL;DR

This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows unauthenticated attackers to read arbitrary files from the server's file system. Affected systems include ColdFusion 2023 Update 7 and earlier, and ColdFusion 2021 Update 13 and earlier. The vulnerability requires no user interaction and can be exploited remotely.

💻 Affected Systems

Products:

Adobe ColdFusion

Versions: ColdFusion 2023 Update 7 and earlier, ColdFusion 2021 Update 13 and earlier

Operating Systems: All supported platforms (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration is required for exploitation.

📦 What is this software?

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

Coldfusion by Adobe

Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...

Learn more about Coldfusion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, source code, database credentials, or other critical system files, potentially leading to complete system compromise.

🟠

Likely Case

Attackers will read configuration files to discover credentials and other sensitive information that can be used for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to files accessible to the ColdFusion service account.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing ColdFusion servers immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and is straightforward to exploit based on the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ColdFusion 2023 Update 8, ColdFusion 2021 Update 14

Vendor Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html

Restart Required: Yes

Instructions:

1. Download the appropriate update from Adobe's website. 2. Stop the ColdFusion service. 3. Apply the update. 4. Restart the ColdFusion service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to ColdFusion administration interfaces and application endpoints to trusted IP addresses only.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 8500 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8500 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate ColdFusion servers from sensitive data stores
Apply principle of least privilege to ColdFusion service account file system permissions

🔍 How to Verify

Check if Vulnerable:

Check ColdFusion version in administrator console or via cfusion/lib/version.txt file

Check Version:

On Windows: type "C:\ColdFusion\cfusion\lib\version.txt" | On Linux: cat /opt/coldfusion/cfusion/lib/version.txt

Verify Fix Applied:

Verify version is ColdFusion 2023 Update 8 or later, or ColdFusion 2021 Update 14 or later

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in ColdFusion logs
Requests to unusual file paths or extensions
Multiple failed file read attempts

Network Indicators:

Unusual outbound file transfers from ColdFusion server
Traffic patterns indicating file enumeration

SIEM Query:

source="coldfusion.log" AND ("FileNotFoundException" OR "Permission denied") AND NOT path CONTAINS ".cfm"

📊 Metadata

CVE ID: CVE-2024-34112

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

Published: June 13, 2024

Last Updated: December 3, 2024

🔗 References

https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html Vendor Advisory
https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html Vendor Advisory