Adobe on Wednesday night, issued a Security Advisory (APSA13-03) for a newly disclosed critical security vulnerability in Adobe ColdFusion.
The critical vulnerability (CVE-2013-3336) affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX, Adobe said, and could allow an attacker to remotely access files stored on the server.
There have been reports that an exploit for the vulnerability is publicly available.
Some customers may always have protections in place, as Adobe said ColdFusion users who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories are already safe from the issue.
For ColdFusion customers that have not applied the above steps, Adobe recommends implementing the following configuration settings:
Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories by following the hardening guidance in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.
Adobe is in the process of creating a fix for the issue and says a hotfix will be available on Tuesday, May 14, 2013.
Symantec’s Marcin Siedlarz was credited for reporting the issue to Adobe.