ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Coldfusion | Adobe | * | 2018 (excluding) |
| Coldfusion | Adobe | 2018 (including) | 2018 (including) |
| Coldfusion | Adobe | 2018-update1 (including) | 2018-update1 (including) |
| Coldfusion | Adobe | 2018-update10 (including) | 2018-update10 (including) |
| Coldfusion | Adobe | 2018-update2 (including) | 2018-update2 (including) |
| Coldfusion | Adobe | 2018-update3 (including) | 2018-update3 (including) |
| Coldfusion | Adobe | 2018-update4 (including) | 2018-update4 (including) |
| Coldfusion | Adobe | 2018-update5 (including) | 2018-update5 (including) |
| Coldfusion | Adobe | 2018-update6 (including) | 2018-update6 (including) |
| Coldfusion | Adobe | 2018-update7 (including) | 2018-update7 (including) |
| Coldfusion | Adobe | 2018-update8 (including) | 2018-update8 (including) |
| Coldfusion | Adobe | 2018-update9 (including) | 2018-update9 (including) |
| Coldfusion | Adobe | 2021 (including) | 2021 (including) |
Access control involves the use of several protection mechanisms such as:
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: