CVE-2020-10145: 
Adobe ColdFusion vulnerability analysis and mitigation

The Adobe ColdFusion installer contains a security vulnerability identified as CVE-2020-10145, which was publicly disclosed on February 1, 2021. The vulnerability stems from the installer's failure to set secure access-control lists (ACLs) on the default installation directory, such as C:\ColdFusion2021. This affects multiple versions of Adobe ColdFusion, including ColdFusion 2016, 2018, and 2021 (CERT Advisory).

The vulnerability is characterized by incorrect default permissions (CWE-276) and improper access control (CWE-284). The severity of this vulnerability is rated as HIGH with a CVSS v3.1 Base Score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and a CVSS v2.0 Base Score of 7.2 (Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C) (NVD).

The vulnerability allows unprivileged users to create files in the ColdFusion installation directory structure. By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed (CERT Advisory).

Adobe provides several mitigation options depending on the ColdFusion version: For ColdFusion 2016, users should apply changes outlined in the ColdFusion 2016 Lockdown Guide. For ColdFusion 2018 and 2021, users must run the respective Auto-Lockdown installer and ensure it completes without error. The ColdFusion Server Auto-Lockdown installer must be installed in addition to the main ColdFusion installation to secure service privileges, ACLs, and other attributes (CERT Advisory).