A vulnerability, which was classified as critical, was found in Adobe ColdFusion 9.0/9.0.1/9.0.2 (Programming Language Software). This affects an unknown part of the component Password Authentication. The manipulation with an unknown input leads to a credentials management vulnerability. CWE is classifying the issue as CWE-255. This is going to have an impact on confidentiality, and integrity. The summary by CVE is:

The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which makes it easier for context-dependent attackers to obtain administrative privileges by leveraging read access to the configuration file, a different vulnerability than CVE-2010-2861.

The weakness was released 09/20/2013 with Immunity as CVE-2010-5290 as confirmed cve entry (MITRE CVE). The advisory is shared at cve.mitre.org. The public release happened without involvement of Adobe. This vulnerability is uniquely identified as CVE-2010-5290 since 09/20/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1552 for this issue.

Upgrading to version 10 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (87740).

Productinfo

Type

• Programming Language Software

Vendor

• Adobe

Name

• ColdFusion

Version

• 9.0
• 9.0.1
• 9.0.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion