ColdFusion PMS Arbitrary File Read (CVE-2024-20767)
Description
Adobe ColdFusion versions 2021 Update 12 and earlier, and 2023 Update 6 and earlier contain an improper access control vulnerability (CVE-2024-20767) that allows unauthenticated remote attackers to read arbitrary files from the underlying operating system. This vulnerability bypasses normal authentication mechanisms and file access restrictions, potentially exposing sensitive configuration files, application source code, and system files.
Remediation
Immediately apply the latest security updates from Adobe: upgrade ColdFusion 2021 to Update 13 or later, or ColdFusion 2023 to Update 7 or later. Follow these steps:
1. Review Adobe Security Bulletin APSB24-14 for your specific version
2. Back up your ColdFusion configuration and applications
3. Download and install the appropriate update from Adobe's official website
4. Restart the ColdFusion service after installation
5. Verify the update by checking the ColdFusion Administrator version number
6. Review server logs for any suspicious file access attempts prior to patching
7. If immediate patching is not possible, implement network-level access controls to restrict ColdFusion server access to trusted IP addresses only