CVE-2010-2861
CRITICAL severity · CVSS 9.8 · Path traversal · actively exploited (CISA KEV)
9.8CVSS CRITICAL exploited ransomware
Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Known use in ransomware campaigns. Added to KEV 2022-03-25. US federal agencies must patch by 2022-04-15.
Summary
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)100%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://www.adobe.com/support/security/bulletins/apsb10-18.htmlAdvisory
- http://securityreason.com/securityalert/8137
- http://securityreason.com/securityalert/8148
- http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07
- http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/Exploit