CVE-2024-20767

Published Mar 18, 2024

Last updated 2 months ago

Exploit knownCVSS high 7.4

Overview

Description
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.
Source
psirt@adobe.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
7.4
Impact score
5.2
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Adobe ColdFusion Improper Access Control Vulnerability
Exploit added on
Dec 16, 2024
Exploit action due
Jan 6, 2025
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@adobe.com
CWE-284
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. A new #vulnerability in #AdobeColdFusion (CVE-2024-20767) allows attackers to read and write system files, affecting over 200,000 exposed servers. Learn how to protect your system now: https://t.co/TErfVxlcUU #CybersecurityThreatAdvisory

    @SmarterMSP

    30 Dec 2024

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔴 #Adobe ColdFusion Improper Access Control Vulnerability (#CVE-2024-20767) - Critical https://t.co/3THcHRi1ln

    @dailycve

    30 Dec 2024

    27 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. سازمان CISA در مورد دو آسیب پذیری با کد شناسایی CVE-2024-20767 و CVE-2024-35250 هشدار داد. آسیب پذیری اول مربوط به محصول ColdFusion بوده که اجازه می دهد فایل ها را read کنند. آسیب پذیری دوم مربوط به kernel ویندوز بوده و از نوع privilege escalation می باشد. https://t.co/Poz3aKYxT1

    @AmirHossein_sec

    18 Dec 2024

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-29404 is getting exploited #inthewild. Find out more at https://t.co/sjnUIFDV9P CVE-2024-35250 is getting exploited #inthewild. Find out more at https://t.co/HHQD5WeiX8 CVE-2024-20767 is getting exploited #inthewild. Find out more at https://t.co/QmVvFhkoSA

    @inthewildio

    18 Dec 2024

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #DOYOUKNOWCVE CISA ALERT! Two critical vulnerabilities added to the CISA KEV catalog. CVE-2024-20767: Adobe ColdFusion Improper Access Control Vulnerability. This flaw arises from improper access control mechanisms, allowing unauthorized users to perform arbitrary file system…

    @Loginsoft_Inc

    18 Dec 2024

    56 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. We added #Adobe ColdFusion and #Microsoft #Windows kernel vulnerabilities CVE-2024-20767 & CVE-2024-35250 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/P5CinqZV68 & apply mitigations to protect your org from cyberattacks.

    @byt3n33dl3

    17 Dec 2024

    69 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  7. 🚨 CISA warns U.S. federal agencies of ongoing attacks exploiting Windows kernel flaw (CVE-2024-35250) for SYSTEM privileges. Adobe ColdFusion vulnerability (CVE-2024-20767) also actively exploited. 🔒 #WindowsKernelExploitation #CVE2024 #CybersecurityNe… https://t.co/kToU7hlWjN

    @TweetThreatNews

    17 Dec 2024

    37 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Critical Windows and Adobe ColdFusion Vulnerabilities Actively Exploited in the Wild, PoC Exploit Published Urgent warning: CVE-2024-35250 & CVE-2024-20767 are being actively exploited by malicious actors. Take action now to protect your system https://t.co/o4AOCqctZa

    @the_yellow_fall

    17 Dec 2024

    359 Impressions

    4 Retweets

    4 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  9. csirt_it: ‼️ #Adobe: rilevato lo sfruttamento attivo in rete della CVE-2024-20767, relativa a #ColdFusion ⚠️ Ove non provveduto, si raccomanda l’aggiornamento tempestivo del software interessato 🔗 https://t.co/4Nj8RlcqGM https://t.co/W9LXvNvLwp

    @Vulcanux_

    16 Dec 2024

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. ‼️ #Adobe: rilevato lo sfruttamento attivo in rete della CVE-2024-20767, relativa a #ColdFusion ⚠️ Ove non provveduto, si raccomanda l’aggiornamento tempestivo del software interessato 🔗 https://t.co/ERa98AoUtK https://t.co/GnTH1UZbnv

    @csirt_it

    16 Dec 2024

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-20767 #Adobe #ColdFusion Improper Access Control Vulnerability https://t.co/wZdd36sQJk

    @ScyScan

    16 Dec 2024

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CISA Adds Two Known Exploited Vulnerability to Catalog: CVE-2024-20767 - Adobe ColdFusion Improper Access Control CVE-2024-35250 - Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference https://t.co/wO1JEcVjy5 https://t.co/E9q6jwvjOB

    @TMJIntel

    16 Dec 2024

    85 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🔴 ColdFusion Improper Access Control (#CVE-2024-20767) - HIGH https://t.co/A6jw6G20Pn

    @dailycve

    16 Dec 2024

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Remediation for CVE-2024-20767 and CVE-2024-21216 Potential Exploitable Bugs https://t.co/AIqOWUDHt1

    @_r_netsec

    19 Nov 2024

    1431 Impressions

    5 Retweets

    12 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

Configurations

References