The vulnerability is identified as CVE-2013-3336 and affects ColdFusion 10, 9.0.2, 9.0.1, 9.0 and earlier versions for Windows, Mac and Unix, Adobe said in an advisory published on Wednesday.
The company credited Marcin Siedlarz of Symantec’s Security Response team with reporting the issue. “There are reports that an exploit for this vulnerability is publicly available,” Adobe said.
The company is working on a fix and expects to release it publicly on 14 May. Until then, customers are advised to restrict public access to certain sensitive directories like CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted.
Information on how to restrict access to these directories is provided in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide. Customers who hardened their ColdFusion installations following the guidance provided in these technical documents are already protected against CVE-2013-3336, Adobe said.
Even though it’s not as widely used as some other Adobe products, ColdFusion has been targeted by hackers in the past. In April, virtual private server hosting company Linode reported that hackers gained access to its web server and customer database by exploiting a previously unknown ColdFusion vulnerability.
In January, Adobe issued a security advisory warning customers about four previously unknown ColdFusion vulnerabilities that were being actively exploited by attackers. The mitigation steps recommended at the time also involved disabling external access to the /CFIDE/administrator and /CFIDE/adminapi directories.
by Lucian Constantin, IDG News Service