CVE-2013-0632

Adobe ColdFusion Authentication Bypass Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

En el archivo administrator.cfc en ColdFusion de Adobe versiones 9.0, 9.0.1, 9.0.2 y 10, permite a los atacantes remotos omitir la autenticación y posiblemente ejecutar código arbitrario mediante el inicio de sesión en el componente RDS con el valor de contraseña vacía por defecto y aprovechando esta sesión para acceder a la interfaz web administrativa, como se explotó “in the wild” en Enero de 2013.

Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 do not properly check the "rdsPasswordAllowed" field when accessing the Administrator API CFC that is used for logging in. The login function never checks if RDS is enabled when rdsPasswordAllowed="true". This means that if RDS was not configured, the RDS user does not have a password associated with their username. This means by setting rdsPasswordAllowed to "true", we can bypass the admin login to use the rdsPassword, which in most cases, is blank. These details were purchased through the Packet Storm Bug Bounty program and are being released to the community.

An authentication bypass vulnerability exists in Adobe ColdFusion which could result in an unauthorized user gaining administrative access.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2012-12-18 CVE Reserved
2013-01-17 CVE Published
2013-04-10 First Exploit
2022-03-03 Exploited in Wild
2022-03-24 KEV Due Date
2025-02-04 CVE Updated
2025-03-30 EPSS Updated

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-276: Incorrect Default Permissions

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC
https://packetstorm.news/files/id/122864	2013-08-19
https://www.exploit-db.com/exploits/30210	2013-12-11
https://www.exploit-db.com/exploits/24946	2013-04-10
https://www.exploit-db.com/exploits/27755	2013-08-21
http://www.exploit-db.com/exploits/30210	2025-02-04

URL	Date	SRC

URL	Date	SRC
http://www.adobe.com/support/security/advisories/apsa13-01.html	2014-01-17
http://www.adobe.com/support/security/bulletins/apsb13-03.html	2014-01-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				9.0 Search vendor "Adobe" for product "Coldfusion" and version "9.0"		-		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				9.0.1 Search vendor "Adobe" for product "Coldfusion" and version "9.0.1"		-		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				9.0.2 Search vendor "Adobe" for product "Coldfusion" and version "9.0.2"		-		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				10.0 Search vendor "Adobe" for product "Coldfusion" and version "10.0"		-		Affected