CVE-2009-3960 (GCVE-0-2009-3960)

Vulnerability from cvelistv5 – Published: 2010-02-15 18:00 – Updated: 2025-10-22 00:05
VLAI? CISA KEV
Summary
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE
  • n/a
Assigner
References
http://www.securityfocus.com/bid/38197 vdb-entryx_refsource_BID
http://securitytracker.com/id?1023584 vdb-entryx_refsource_SECTRACK
http://www.osvdb.org/62292 vdb-entryx_refsource_OSVDB
http://secunia.com/advisories/38543 third-party-advisoryx_refsource_SECUNIA
https://www.exploit-db.com/exploits/41855/ exploitx_refsource_EXPLOIT-DB
http://www.adobe.com/support/security/bulletins/a… x_refsource_CONFIRM
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 5ebdca71-ae6a-480c-972d-81c2edfff058

Vulnerability ID: CVE-2009-3960

Status: Confirmed

Status Updated: 2022-03-07 00:00 UTC

Exploited: Yes

Timestamps
First Seen: 2022-03-07
Asserted: 2022-03-07
Scope
Notes: KEV entry: Adobe BlazeDS Information Disclosure Vulnerability | Affected: Adobe / BlazeDS | Description: Adobe BlazeDS, which is utilized in LifeCycle and Coldfusion, contains a vulnerability that allows for information disclosure. | Required action: Apply updates per vendor instructions. | Due date: 2022-09-07 | Known ransomware campaign use (KEV): Known | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2009-3960
Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details
Cwes
Feed CISA Known Exploited Vulnerabilities Catalog
Product BlazeDS
Due Date 2022-09-07
Date Added 2022-03-07
Vendorproject Adobe
Vulnerabilityname Adobe BlazeDS Information Disclosure Vulnerability
Knownransomwarecampaignuse Known
References
Created: 2026-02-02 12:28 UTC | Updated: 2026-02-06 07:17 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T06:45:50.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "38197",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/38197"
          },
          {
            "name": "1023584",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1023584"
          },
          {
            "name": "62292",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/62292"
          },
          {
            "name": "38543",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/38543"
          },
          {
            "name": "41855",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41855/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2009-3960",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:42:52.303476Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-03-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-22T00:05:53.086Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-03-07T00:00:00+00:00",
            "value": "CVE-2009-3960 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-02-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-15T09:57:01.000Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "name": "38197",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/38197"
        },
        {
          "name": "1023584",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1023584"
        },
        {
          "name": "62292",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/62292"
        },
        {
          "name": "38543",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/38543"
        },
        {
          "name": "41855",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41855/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "ID": "CVE-2009-3960",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "38197",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/38197"
            },
            {
              "name": "1023584",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1023584"
            },
            {
              "name": "62292",
              "refsource": "OSVDB",
              "url": "http://www.osvdb.org/62292"
            },
            {
              "name": "38543",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/38543"
            },
            {
              "name": "41855",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41855/"
            },
            {
              "name": "http://www.adobe.com/support/security/bulletins/apsb10-05.html",
              "refsource": "CONFIRM",
              "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2009-3960",
    "datePublished": "2010-02-15T18:00:00.000Z",
    "dateReserved": "2009-11-16T00:00:00.000Z",
    "dateUpdated": "2025-10-22T00:05:53.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2009-3960",
      "dateAdded": "2022-03-07",
      "dueDate": "2022-09-07",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2009-3960",
      "product": "BlazeDS",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Adobe BlazeDS, which is utilized in LifeCycle and Coldfusion, contains a vulnerability that allows for information disclosure.",
      "vendorProject": "Adobe",
      "vulnerabilityName": "Adobe BlazeDS Information Disclosure Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-09-07",
      "cisaExploitAdd": "2022-03-07",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Adobe BlazeDS Information Disclosure Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:blazeds:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.2\", \"matchCriteriaId\": \"AEF7C97E-BE99-415D-B12B-D3E7BD9EDF08\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B015715F-9672-480E-B0AA-968D8C9070D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DD6C1877-7412-4FBE-9641-334971F9D153\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"28C8D6AF-EDE1-42BD-A47C-2EF8690299BD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"113431FB-E4BE-4416-800C-6B13AD1C0E92\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:flex_data_services:2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B6F65E3F-F3E7-4BE9-A13B-87FFF3B3777E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle:8.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2A1EAAD5-7A00-4EC3-9F97-D2965E2569D8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle:8.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D227BD60-5882-4C73-A642-EEE1E485FC48\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3824D1B3-CE8E-488C-B241-BBD764C935F5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle_data_services:2.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDF0B56D-E982-44CE-92E8-DA696E33717A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle_data_services:2.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"18CBBE17-8E63-4A48-997B-850702442394\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:lifecycle_data_services:3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3080073F-5BF3-415D-917A-C04DDCEEB311\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad sin especificar en BlazeDS v3.2 y anteriores, tal como es utilizado en LiveCycle v8.0.1, v8.2.1 y v9.0, LiveCycle Data Services v2.5.1, v2.6.1 y v3.0, Flex Data Services v2.0.1 y ColdFusion v7.0.2, v8.0, v8.0.1 y v9.0. Permite a atacantes remotos obtener informaci\\u00f3n confidencial a trav\\u00e9s de vectores de ataque asociados con una petici\\u00f3n, y relacionados con una etiqueta inyectada y una referencia a una entidad externa en documentos XML.\"}]",
      "id": "CVE-2009-3960",
      "lastModified": "2024-12-19T18:09:00.497",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2010-02-15T18:30:00.407",
      "references": "[{\"url\": \"http://secunia.com/advisories/38543\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://securitytracker.com/id?1023584\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Not Applicable\", \"Vendor Advisory\"]}, {\"url\": \"http://www.osvdb.org/62292\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.securityfocus.com/bid/38197\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41855/\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://secunia.com/advisories/38543\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://securitytracker.com/id?1023584\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Not Applicable\", \"Vendor Advisory\"]}, {\"url\": \"http://www.osvdb.org/62292\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.securityfocus.com/bid/38197\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41855/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}]",
      "sourceIdentifier": "psirt@adobe.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-3960\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2010-02-15T18:30:00.407\",\"lastModified\":\"2025-10-22T01:15:35.130\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad sin especificar en BlazeDS v3.2 y anteriores, tal como es utilizado en LiveCycle v8.0.1, v8.2.1 y v9.0, LiveCycle Data Services v2.5.1, v2.6.1 y v3.0, Flex Data Services v2.0.1 y ColdFusion v7.0.2, v8.0, v8.0.1 y v9.0. Permite a atacantes remotos obtener informaci\u00f3n confidencial a trav\u00e9s de vectores de ataque asociados con una petici\u00f3n, y relacionados con una etiqueta inyectada y una referencia a una entidad externa en documentos XML.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"cisaExploitAdd\":\"2022-03-07\",\"cisaActionDue\":\"2022-09-07\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Adobe BlazeDS Information Disclosure Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:blazeds:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2\",\"matchCriteriaId\":\"AEF7C97E-BE99-415D-B12B-D3E7BD9EDF08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B015715F-9672-480E-B0AA-968D8C9070D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD6C1877-7412-4FBE-9641-334971F9D153\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"28C8D6AF-EDE1-42BD-A47C-2EF8690299BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"113431FB-E4BE-4416-800C-6B13AD1C0E92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:flex_data_services:2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6F65E3F-F3E7-4BE9-A13B-87FFF3B3777E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle:8.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3890CE6C-D8D0-4406-ACE1-9849CFCA72F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle:8.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82D29A25-10F2-4FFB-A9BC-B7AAD6D1A18A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6804632-7EA5-45AB-91A3-C05D3426CA9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle_data_services:2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"262ED6C7-3C78-4863-9056-A9D55C7DB6CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle_data_services:2.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BEFE9CD7-0DB5-4038-AFB5-1B756186605C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:livecycle_data_services:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2EE5075B-DB11-47F3-9601-F4956ECF5047\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/38543\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://securitytracker.com/id?1023584\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.adobe.com/support/security/bulletins/apsb10-05.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Not Applicable\",\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/62292\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/38197\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/41855/\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://secunia.com/advisories/38543\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://securitytracker.com/id?1023584\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.adobe.com/support/security/bulletins/apsb10-05.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\",\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/62292\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/38197\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/41855/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.securityfocus.com/bid/38197\", \"name\": \"38197\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"]}, {\"url\": \"http://securitytracker.com/id?1023584\", \"name\": \"1023584\", \"tags\": [\"vdb-entry\", \"x_refsource_SECTRACK\", \"x_transferred\"]}, {\"url\": \"http://www.osvdb.org/62292\", \"name\": \"62292\", \"tags\": [\"vdb-entry\", \"x_refsource_OSVDB\", \"x_transferred\"]}, {\"url\": \"http://secunia.com/advisories/38543\", \"name\": \"38543\", \"tags\": [\"third-party-advisory\", \"x_refsource_SECUNIA\", \"x_transferred\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41855/\", \"name\": \"41855\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\", \"x_transferred\"]}, {\"url\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-07T06:45:50.647Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2009-3960\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T21:42:52.303476Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-03-07\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-03-07T00:00:00+00:00\", \"value\": \"CVE-2009-3960 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T21:43:00.573Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"datePublic\": \"2010-02-11T00:00:00.000Z\", \"references\": [{\"url\": \"http://www.securityfocus.com/bid/38197\", \"name\": \"38197\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"]}, {\"url\": \"http://securitytracker.com/id?1023584\", \"name\": \"1023584\", \"tags\": [\"vdb-entry\", \"x_refsource_SECTRACK\"]}, {\"url\": \"http://www.osvdb.org/62292\", \"name\": \"62292\", \"tags\": [\"vdb-entry\", \"x_refsource_OSVDB\"]}, {\"url\": \"http://secunia.com/advisories/38543\", \"name\": \"38543\", \"tags\": [\"third-party-advisory\", \"x_refsource_SECUNIA\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41855/\", \"name\": \"41855\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\"]}, {\"url\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2017-08-15T09:57:01.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"n/a\"}]}, \"vendor_name\": \"n/a\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"http://www.securityfocus.com/bid/38197\", \"name\": \"38197\", \"refsource\": \"BID\"}, {\"url\": \"http://securitytracker.com/id?1023584\", \"name\": \"1023584\", \"refsource\": \"SECTRACK\"}, {\"url\": \"http://www.osvdb.org/62292\", \"name\": \"62292\", \"refsource\": \"OSVDB\"}, {\"url\": \"http://secunia.com/advisories/38543\", \"name\": \"38543\", \"refsource\": \"SECUNIA\"}, {\"url\": \"https://www.exploit-db.com/exploits/41855/\", \"name\": \"41855\", \"refsource\": \"EXPLOIT-DB\"}, {\"url\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"name\": \"http://www.adobe.com/support/security/bulletins/apsb10-05.html\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"n/a\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2009-3960\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"psirt@adobe.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2009-3960\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T20:04:25.120Z\", \"dateReserved\": \"2009-11-16T00:00:00.000Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2010-02-15T18:00:00.000Z\", \"assignerShortName\": \"adobe\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.