Description

ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.

Remediation

Upgrade to the latest version of ColdFusion.

References

APSB18-33

A Journey From JNDI/LDAP Manipulation To RCE

Related Vulnerabilities

EktronCMS Saxon XSLT parser remote code execution

Grav CMS Unauthenticated RCE (CVE-2021-21425)

WordPress Plugin MobiLoud-WordPress Mobile Apps-Convert your WordPress Website to Native Mobile Apps Remote Code Execution (4.0.1)

WordPress Plugin WP Maintenance Mode Remote Code Execution (2.0.6)

Elasticsearch remote code execution

Severity

High

Classification

CVE-2018-15957 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor