CVE-2017-3066

CVSS 9.8 CRITICALEPSS 90.6%● KEVCWE-502

In short

Adobe ColdFusion contains a flaw in how it processes serialized Java objects from the Apache BlazeDS library, allowing attackers to execute arbitrary code on the server without authentication.

Technical detail

A Java deserialization vulnerability (CWE-502) in Apache BlazeDS allows remote attackers to instantiate arbitrary objects by sending specially crafted serialized data to vulnerable ColdFusion versions, leading to unauthenticated remote code execution.

Summary generated and translated by AI from the official description.

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · Adobe ColdFusion ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier

public PoCs found — 4

githubgithub.com/codewhitesec/ColdFusionPwn★ 96 githubgithub.com/cucadili/CVE-2017-3066★ 2 cve_referencewww.exploit-db.com/exploits/43993/unverified exploitdbwww.exploit-db.com/exploits/43993unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3066 https://www.exploit-db.com/exploits/43993/http://www.securityfocus.com/bid/98003 http://www.securitytracker.com/id/1038364