This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Adobe ColdFusion Arbitrary File Read and Arbitrary File Inclusion Vulnerability

Adobe ColdFusion is a dynamic web server and its ColdFusion Markup Language (CFML) is a programming language like the JSP Standard Tag Lib (JSTL) in the current JSP. Since developed in 1995, it has been considered to be very advanced and used by some other programming languages as a reference.

ColdFusion was originally an application server platform developed by Allaire Corporation. The CFML it used was a scripting language for web applications. CMF files use *.cfm as file extension and run on ColdFusion application server. After Allaire Corporation was acquired by Macromedia, Macromedia ColdFusion 5.0 was launched. Similar to other programming languages, CFM files are compiled into the corresponding C++ language, run, and then results are returned to the browser. Although CFC and custom tags have similar reusability, CFC provides more flexible calling methods, such as webservice calling method.

Since Macromedia was acquired by Adobe, ColdFusion has become a product of Adobe.

On March 18, 2020, Adobe released a security patch (Bulletin ID APSB20-16) for Adobe ColdFusion. The patch fixes arbitrary file read and arbitrary file inclusion vulnerabilities in Adobe ColdFusion (CVE-2020-3761, CVE-2020-3794).

The internal related attributes can be controlled due to the flaws in the design of the AJP protocol. Attackers can construct attribute values, then exploit vulnerabilities, which can lead to sensitive file information disclosure and even remote code execution vulnerability exploit.

This vulnerability is used in the same way as the previously exposed Tomcat file inclusion vulnerability CVE-2020-1938. Using the design flaw of the AJP protocol, attackers can construct internal attribute values and exploit the vulnerability by controlling these three attribute values:


Using Adobe ColdFusion 2018 as the environment for analysis, we analyze the code used by Adobe ColdFusion to process AJP protocol data (tomcat-coyote.jar dependency package imported under the runtime path). The org.apache.coyote.ajp.AjpProcessor class code is as follows:

We can conclude that the vulnerability exploitation process is basically the same as CVE-2020-1938.

We built Adobe ColdFusion 2018 environment and sent the constructed data to the Tomcat server through the AJP protocol. Then we successfully obtained the sensitive file information under the Adobe path, as shown below:

Affected Adobe ColdFusion versions:
ColdFusion 2016 Update 13 and earlier versions
ColdFusion 2018 Update 7 and earlier versions

March 18, 2020 Adobe released a security patch (Bulletin ID APSB20-16) for Adobe ColdFusion.
March 20, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Remediation Solution
Adobe has released security patch APSB20-16 to fix this vulnerability. You can visit the following link to download the patch:

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has automatically updated its database in the cloud. Those users are already protected from this vulnerability without needing to perform any additional operations.

Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.