Description

ColdFusion Flash Remoting is vulnerable to deserialization attacks. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform denial of service attack.

Remediation

Upgrade to the latest version of ColdFusion

References

APSB17-14

Java Unmarshaller Security - Turning your data into code execution

Related Vulnerabilities

PHP 4.3.0 file disclosure and possible code execution

Ruby on Rails directory traversal vulnerability

WordPress Plugin Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Remote Code Execution (1.5.89)

WordPress Plugin PHP Speedy 'admin_container.php' Remote PHP Code Execution (0.5.2)

Drupal Core 8.x.x Remote Code Execution (8.0.0 - 8.7.14)

Severity

High

Classification

CVE-2017-3066 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Insecure Deserialization Acumonitor Denial Of Service