Vulnerability ID 10461

Adobe ColdFusion 9.0/9.0.1/9.0.2 Password Authentication weak authentication

Adobe
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
5.7$0-$1k

A vulnerability, which was classified as critical, was found in Adobe ColdFusion 9.0/9.0.1/9.0.2. This affects an unknown function of the component Password Authentication. The manipulation with an unknown input leads to a weak authentication vulnerability. This is going to have an impact on confidentiality, and integrity.

The weakness was released 09/20/2013 with Immunity as CVE-2010-5290 as confirmed cve entry (MITRE CVE). The advisory is shared for download at cve.mitre.org. The public release happened without involvement of Adobe. This vulnerability is uniquely identified as CVE-2010-5290 since 09/20/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.

Upgrading to version 10 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (87740).

CVSSv3

Base Score: 6.5 [?]
Temp Score: 5.7 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N) [?]
Temp Score: 4.3 (CVSS2#E:U/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Weak authentication (CWE-255)
Local: No
Remote: Yes

Availability: No
Status: Unproven

Current Price Estimation: $2k-$5k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: ColdFusion 10

Timeline

09/20/2013 Advisory disclosed
09/20/2013 +0 days CVE assigned
09/20/2013 +0 days NVD disclosed
09/24/2013 +4 days VulDB entry created
12/18/2015 +815 days VulDB entry updated

Sources

Advisory: CVE-2010-5290
Organization: Immunity
Status: Confirmed

CVE: CVE-2010-5290 (mitre.org) (nvd.nist.org) (cvedetails.com)

X-Force: 87740 - Adobe ColdFusion authentication process privilege escalation, High Risk
OSVDB: 97553 - Adobe ColdFusion Password Hash Authentication Configuration File Access Weakness

Entry

Created: 09/24/2013
Updated: 12/18/2015
Entry: 81.3% complete