CVE-2024-20767 (GCVE-0-2024-20767)
Vulnerability from cvelistv5 – Published: 2024-03-18 11:43 – Updated: 2025-10-21 23:05- CWE-284 - Improper Access Control (CWE-284)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfus… | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | ColdFusion |
Affected:
0 , ≤ 2021.12
(semver)
|
|
| adobe | coldfusion |
Affected:
2023.0 , ≤ 2023.0_update_12
(custom)
Affected: 2021.0 , ≤ 2021.0_update12 (custom) cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:* |
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-284 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | ColdFusion |
| Due Date | 2025-01-06 |
| Date Added | 2024-12-16 |
| Vendorproject | Adobe |
| Vulnerabilityname | Adobe ColdFusion Improper Access Control Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Scope
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 2 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | None |
| 7D Avg | 0 |
| Vendor | |
| 30D Avg | 0 |
| 90D Avg | 0 |
| Product | |
| Cisa Kev | yes |
| Connections | 2 |
| Observation Date | 2026-07-09 |
| Vulnerability Class | None |
| Vulnerability Score | None |
| Vulnerability Severity | None |
References
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | ColdFusion | Improper Access Control (CWE-284) |
| Vendor | Adobe |
| Product | ColdFusion |
| Added Date | 2024-12-16T00:00:00.000Z |
| Cvss Score | 7.4 |
| Epss Score | 0.98514 |
| Cvss Severity | HIGH |
| Epss Percentile | 0.99914 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev | None |
| Not Yet In Cisa Kev | False |
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "coldfusion",
"vendor": "adobe",
"versions": [
{
"lessThanOrEqual": "2023.0_update_12",
"status": "affected",
"version": "2023.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2021.0_update12",
"status": "affected",
"version": "2021.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "coldfusion",
"vendor": "adobe",
"versions": [
{
"lessThanOrEqual": "2023.0_update_12",
"status": "affected",
"version": "2023.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2021.0_update12",
"status": "affected",
"version": "2021.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-20767",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T13:27:06.428662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-12-16",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:22.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-16T00:00:00.000Z",
"value": "CVE-2024-20767 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:59:42.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ColdFusion",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2021.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-12T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.4,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "HIGH",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.4,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T17:08:09.376Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ColdFusion | Improper Access Control (CWE-284)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2024-20767",
"datePublished": "2024-03-18T11:43:28.473Z",
"dateReserved": "2023-12-04T16:52:22.987Z",
"dateUpdated": "2025-10-21T23:05:22.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2024-20767",
"cwes": "[\"CWE-284\"]",
"dateAdded": "2024-12-16",
"dueDate": "2025-01-06",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-20767",
"product": "ColdFusion",
"requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel.",
"vendorProject": "Adobe",
"vulnerabilityName": "Adobe ColdFusion Improper Access Control Vulnerability"
},
"epss": {
"cve": "CVE-2024-20767",
"date": "2026-07-11",
"epss": "0.98514",
"percentile": "0.99915"
},
"fkie_nvd": {
"cisaActionDue": "2025-01-06",
"cisaExploitAdd": "2024-12-16",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Adobe ColdFusion Improper Access Control Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"7A94B406-C011-4673-8C2B-0DD94D46CC4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*\", \"matchCriteriaId\": \"AFD05E3A-10F9-4C75-9710-BA46B66FF6E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*\", \"matchCriteriaId\": \"F1FC7D1D-6DD2-48B2-980F-B001B0F24473\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FA19E1D-61C2-4640-AF06-4BCFE750BDF3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*\", \"matchCriteriaId\": \"3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*\", \"matchCriteriaId\": \"D57C8681-AC68-47DF-A61E-B5C4B4A47663\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*\", \"matchCriteriaId\": \"75608383-B727-48D6-8FFA-D552A338A562\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*\", \"matchCriteriaId\": \"7773DB68-414A-4BA9-960F-52471A784379\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*\", \"matchCriteriaId\": \"B38B9E86-BCD5-4BCA-8FB7-EC55905184E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*\", \"matchCriteriaId\": \"5E7BAB80-8455-4570-A2A2-8F40469EE9CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*\", \"matchCriteriaId\": \"6E22D701-B038-4795-AA32-A18BC93C2B6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*\", \"matchCriteriaId\": \"CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"B02A37FE-5D31-4892-A3E6-156A8FE62D28\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*\", \"matchCriteriaId\": \"0AA3D302-CFEE-4DFD-AB92-F53C87721BFF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB88D4FE-5496-4639-BAF2-9F29F24ABF29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*\", \"matchCriteriaId\": \"43E0ED98-2C1F-40B8-AF60-FEB1D85619C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*\", \"matchCriteriaId\": \"76204873-C6E0-4202-8A03-0773270F1802\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*\", \"matchCriteriaId\": \"C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3A83642-BF14-4C37-BD94-FA76AABE8ADC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.\"}, {\"lang\": \"es\", \"value\": \"Las versiones 2023.6, 2021.12 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de control de acceso inadecuado que podr\\u00eda provocar una lectura arbitraria del sistema de archivos. Un atacante podr\\u00eda aprovechar esta vulnerabilidad para eludir las medidas de seguridad y obtener acceso no autorizado a archivos confidenciales y realizar escrituras arbitrarias en el sistema de archivos. La explotaci\\u00f3n de este problema no requiere la interacci\\u00f3n del usuario.\"}]",
"id": "CVE-2024-20767",
"lastModified": "2024-12-17T02:00:02.077",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@adobe.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.2}]}",
"published": "2024-03-18T12:15:06.870",
"references": "[{\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"psirt@adobe.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-20767\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2024-03-18T12:15:06.870\",\"lastModified\":\"2026-06-17T07:07:49.320\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.\"},{\"lang\":\"es\",\"value\":\"Las versiones 2023.6, 2021.12 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de control de acceso inadecuado que podr\u00eda provocar una lectura arbitraria del sistema de archivos. Un atacante podr\u00eda aprovechar esta vulnerabilidad para eludir las medidas de seguridad y obtener acceso no autorizado a archivos confidenciales y realizar escrituras arbitrarias en el sistema de archivos. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario.\"}],\"affected\":[{\"source\":\"psirt@adobe.com\",\"affectedData\":[{\"vendor\":\"Adobe\",\"product\":\"ColdFusion\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"2021.12\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"affectedData\":[{\"vendor\":\"adobe\",\"product\":\"coldfusion\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"2023.0\",\"lessThanOrEqual\":\"2023.0_update_12\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"2021.0\",\"lessThanOrEqual\":\"2021.0_update12\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"adobe\",\"product\":\"coldfusion\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"2023.0\",\"lessThanOrEqual\":\"2023.0_update_12\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"2021.0\",\"lessThanOrEqual\":\"2021.0_update12\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-12-17T13:27:06.428662Z\",\"id\":\"CVE-2024-20767\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2024-12-16\",\"cisaActionDue\":\"2025-01-06\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Adobe ColdFusion Improper Access Control Vulnerability\",\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A94B406-C011-4673-8C2B-0DD94D46CC4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFD05E3A-10F9-4C75-9710-BA46B66FF6E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1FC7D1D-6DD2-48B2-980F-B001B0F24473\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FA19E1D-61C2-4640-AF06-4BCFE750BDF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D57C8681-AC68-47DF-A61E-B5C4B4A47663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"75608383-B727-48D6-8FFA-D552A338A562\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"7773DB68-414A-4BA9-960F-52471A784379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B38B9E86-BCD5-4BCA-8FB7-EC55905184E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E7BAB80-8455-4570-A2A2-8F40469EE9CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E22D701-B038-4795-AA32-A18BC93C2B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B02A37FE-5D31-4892-A3E6-156A8FE62D28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0AA3D302-CFEE-4DFD-AB92-F53C87721BFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB88D4FE-5496-4639-BAF2-9F29F24ABF29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"43E0ED98-2C1F-40B8-AF60-FEB1D85619C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"76204873-C6E0-4202-8A03-0773270F1802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3A83642-BF14-4C37-BD94-FA76AABE8ADC\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-03-27T10:16:26+00:00",
"cve": "CVE-2024-20767",
"id": "CVE-2024-20767",
"initial_release_date": "2024-03-12T17:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "ColdFusion | Improper Access Control (CWE-284)",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-20767.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:59:42.948Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-20767\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-17T13:27:06.428662Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2024-12-16\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\"], \"vendor\": \"adobe\", \"product\": \"coldfusion\", \"versions\": [{\"status\": \"affected\", \"version\": \"2023.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2023.0_update_12\"}, {\"status\": \"affected\", \"version\": \"2021.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2021.0_update12\"}], \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\"], \"vendor\": \"adobe\", \"product\": \"coldfusion\", \"versions\": [{\"status\": \"affected\", \"version\": \"2023.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2023.0_update_12\"}, {\"status\": \"affected\", \"version\": \"2021.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2021.0_update12\"}], \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-12-16T00:00:00.000Z\", \"value\": \"CVE-2024-20767 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-18T20:38:34.259Z\"}}], \"cna\": {\"title\": \"ColdFusion | Improper Access Control (CWE-284)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"modifiedScope\": \"UNCHANGED\", \"temporalScore\": 7.4, \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"remediationLevel\": \"NOT_DEFINED\", \"reportConfidence\": \"NOT_DEFINED\", \"temporalSeverity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"environmentalScore\": 7.4, \"privilegesRequired\": \"NONE\", \"exploitCodeMaturity\": \"NOT_DEFINED\", \"integrityRequirement\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NETWORK\", \"confidentialityImpact\": \"HIGH\", \"environmentalSeverity\": \"HIGH\", \"availabilityRequirement\": \"NOT_DEFINED\", \"modifiedIntegrityImpact\": \"HIGH\", \"modifiedUserInteraction\": \"NONE\", \"modifiedAttackComplexity\": \"HIGH\", \"confidentialityRequirement\": \"NOT_DEFINED\", \"modifiedAvailabilityImpact\": \"NONE\", \"modifiedPrivilegesRequired\": \"NONE\", \"modifiedConfidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"ColdFusion\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2021.12\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2024-03-12T17:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"Improper Access Control (CWE-284)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2024-12-12T17:08:09.376Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-20767\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:05:22.747Z\", \"dateReserved\": \"2023-12-04T16:52:22.987Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2024-03-18T11:43:28.473Z\", \"assignerShortName\": \"adobe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.