CVE-2024-34113

ColdFusion | Weak Cryptography for Passwords (CWE-261)

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.

Las versiones 2023u7, 2021u13 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de criptografía débil para contraseñas que podría provocar una omisión de la función de seguridad. Esta vulnerabilidad surge debido al uso de algoritmos criptográficos insuficientemente fuertes o a una implementación defectuosa que compromete la confidencialidad de los datos de las contraseñas. Un atacante podría aprovechar esta debilidad para descifrar o adivinar contraseñas, obteniendo potencialmente acceso no autorizado a recursos protegidos. La explotación de este problema no requiere la interacción del usuario.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-30 CVE Reserved
2024-06-13 CVE Published
2024-07-20 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-261: Weak Encoding for Password
CWE-326: Inadequate Encryption Strength

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html	2024-07-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update1		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update10		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update11		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update12		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update13		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update2		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update3		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update4		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update5		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update6		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update7		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update8		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2021 Search vendor "Adobe" for product "Coldfusion" and version "2021"		update9		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update1		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update2		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update3		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update4		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update5		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update6		Affected
Adobe Search vendor "Adobe"		Coldfusion Search vendor "Adobe" for product "Coldfusion"				2023 Search vendor "Adobe" for product "Coldfusion" and version "2023"		update7		Affected