PT-2016-1959 · Apache+1 · Apache Commons Collections+1
Published
2016-05-11
·
Updated
2020-09-04
·
CVE-2016-1114
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Adobe ColdFusion versions 10 before Update 19
Adobe ColdFusion versions 11 before Update 8
Adobe ColdFusion versions 2016 before Update 1
Description
The issue allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. This is due to the deserialization of untrusted data in memory. Exploitation of the issue may enable a remote attacker to execute arbitrary commands using a specially crafted serialized Java object.
Recommendations
For Adobe ColdFusion 10, apply Update 19 to resolve the issue.
For Adobe ColdFusion 11, apply Update 8 to resolve the issue.
For Adobe ColdFusion 2016, apply Update 1 to resolve the issue.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coldfusion
Apache Commons Collections