Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
1000
VMScore

CVE-2017-3066

Published: 27/04/2017 Updated: 04/09/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Adobe

Vulnerability Summary

Adobe ColdFusion 2016 Update 3 and previous versions, ColdFusion 11 update 11 and previous versions, ColdFusion 10 Update 22 and previous versions have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

adobe coldfusion 10.0

adobe coldfusion 11.0

adobe coldfusion 2016

Exploits

Exploit DB: Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE # Date: February 6, 2018 # Exploit Author: Faisal Tameesh (@DreadSystems) # Company: Depth Security (depthsecuritycom) # Version: Adobe Coldfusion (11003292866) # Tested On: Windows 10 Enterprise (10015063) # CVE: CVE-2017-3066 # Advisory: helpxadobeco ...
Exploit DB: Adobe Coldfusion 11.0.03.292866 Remote Code Execution
Adobe Coldfusion version 11003292866 BlazeDS java object deserialization remote code execution exploit ...

Github Repositories

https://github.com/cucadili/CVE-2017-3066

The study of vulnerability CVE-2017-3066. Java deserialization

CVE-2017-3066 Description Adobe ColdFusion uses message format the Action (AMF) The AMF Protocol is a custom binary serialization Protocol It has two formats: AMF0 and AMF3 Action message consists of headers and bodies There are several implementations of AMF in different languages For Java we have Adobe BlazeDS (now Apache BlazeDS) which is also used in Adobe ColdFusion

https://github.com/codewhitesec/ColdFusionPwn

Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12

ColdFusionPwn Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12 Description The tool allows you to generate serialized AMF-payloads to exploit the missing input validation of allowed classes For details see our blog post Install Get the latest version of ysoserial Get ColdFusionPwn from releases Usage java -cp ColdFusionPwn-001-SNAPSHOT-alljar:ysoseri

https://github.com/Pocm0n/Web-Coldfusion-Vulnerability-POC

Web-Coldfusion-Vulnerability-POC PT-BR PAPER neste paper irei mostrar como explorar O CVE-2018–15961 e CVE-2017–3066 endpoints web server coldfusion: cfc, cfm, cfml e outros primeiro CVE: CVE-2018-15961** ############## entrypoint: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadcfm ############## reference exploit: githubcom/xbufu/CVE-2018-159

References

CWE-502https://helpx.adobe.com/security/products/coldfusion/apsb17-14.htmlhttp://www.securityfocus.com/bid/98003http://www.securitytracker.com/id/1038364https://www.exploit-db.com/exploits/43993/https://nvd.nist.govhttps://www.exploit-db.com/exploits/43993/https://github.com/cucadili/CVE-2017-3066
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581reflected XSSCVE-2024-26925CVE-2024-27956LFICVE-2024-3607CVE-2024-3107CVE-2024-3295SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook