Adobe ColdFusion 9.0/9.0.1/9.0.2 Password Authentication credentials management
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
5.7 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Adobe ColdFusion 9.0/9.0.1/9.0.2 (Programming Language Software). This affects an unknown part of the component Password Authentication. The manipulation with an unknown input leads to a credentials management vulnerability. CWE is classifying the issue as CWE-255. This is going to have an impact on confidentiality, and integrity. The summary by CVE is:
The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which makes it easier for context-dependent attackers to obtain administrative privileges by leveraging read access to the configuration file, a different vulnerability than CVE-2010-2861.
The weakness was released 09/20/2013 with Immunity as CVE-2010-5290 as confirmed cve entry (MITRE CVE). The advisory is shared at cve.mitre.org. The public release happened without involvement of Adobe. This vulnerability is uniquely identified as CVE-2010-5290 since 09/20/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1552 for this issue.
Upgrading to version 10 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at X-Force (87740).
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 5.7
VulDB Base Score: 6.5
VulDB Temp Score: 5.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Credentials managementCWE: CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: ColdFusion 10
Timeline
09/20/2013 🔍09/20/2013 🔍
09/20/2013 🔍
09/24/2013 🔍
05/12/2018 🔍
Sources
Vendor: adobe.comAdvisory: CVE-2010-5290
Organization: Immunity
Status: Confirmed
CVE: CVE-2010-5290 (🔍)
X-Force: 87740 - Adobe ColdFusion authentication process privilege escalation, High Risk
OSVDB: 97553
Entry
Created: 09/24/2013 16:36Updated: 05/12/2018 21:38
Changes: 09/24/2013 16:36 (53), 05/12/2018 21:38 (6)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.