CVE-2024-53961: 
Adobe ColdFusion vulnerability analysis and mitigation

A critical path traversal vulnerability (CVE-2024-53961) was discovered in Adobe ColdFusion versions 2023.11, 2021.17, and earlier. The vulnerability was disclosed on December 23, 2024, affecting Adobe ColdFusion's file system access controls. This security flaw could potentially allow attackers to perform arbitrary file system read operations outside of the application's intended restricted directory (NVD, Adobe Advisory).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability, identified as CWE-22. The CVSS v3.1 base score was assessed at 9.8 (Critical) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Adobe Systems rated it at 7.4 (High) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The exploitation of this vulnerability could lead to unauthorized access to files and directories outside the application's restricted directory scope. This could result in the disclosure of sensitive information or potential manipulation of system data (NVD).

Adobe has released security updates to address this vulnerability. ColdFusion (2023 release) Update 12 was released on December 23, 2024, specifically to resolve this critical vulnerability (ColdFusion Update).