Description

ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.

Remediation

Upgrade to the latest version of ColdFusion.

References

APSB18-33

A Journey From JNDI/LDAP Manipulation To RCE

Related Vulnerabilities

WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)

Drupal 7 arbitrary PHP code execution and information disclosure

Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950

Drupal Core 5.x Arbitrary Code Execution (5.0 - 5.0)

WordPress Plugin Divi Builder PHP Code Injection (4.0.9)

Severity

High

Classification

CVE-2018-15957 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution