CVE-2022-38420: 
Adobe ColdFusion 2018 vulnerability analysis and mitigation

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Use of Hard-coded Credentials vulnerability (CVE-2022-38420) that was disclosed on October 14, 2022. This vulnerability could result in application denial-of-service by gaining access to start/stop arbitrary services. The vulnerability specifically exists within the Admin Component service and does not require user interaction for exploitation (NVD, ZDI).

The vulnerability is classified as a Use of Hard-coded Credentials (CWE-798) issue. The specific flaw exists within the Admin Component service, where the service uses a hard-coded password for the administrator user. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The exploitation of this vulnerability could allow remote attackers to bypass authentication on affected installations of Adobe ColdFusion. This could result in application denial-of-service by gaining access to start/stop arbitrary services (ZDI).

Adobe has issued an update to correct this vulnerability. Users should update to the latest version of Adobe ColdFusion to mitigate this security issue (ZDI).