CVE-2015-5255: Input Validation
First published: Wed Nov 18 2015(Updated: )
Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HP XP P9000 Command View Advanced Edition | ||
| Hp Xp7 Command View Advanced Edition | ||
| Adobe ColdFusion | <=10.0 | |
| Adobe ColdFusion | <=11.0 | |
| Adobe LiveCycle Data Services | =3.0 | |
| Adobe LiveCycle Data Services | =4.5 | |
| Adobe LiveCycle Data Services | =4.6 | |
| Adobe LiveCycle Data Services | =4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=bugtraq&m=145996963420108&w=2
- http://packetstormsecurity.com/files/134506/Apache-Flex-BlazeDS-4.7.1-SSRF.html
- http://www.securityfocus.com/archive/1/536958/100/0/threaded
- http://www.securityfocus.com/bid/77626
- http://www.securitytracker.com/id/1034210
- http://www.vmware.com/security/advisories/VMSA-2015-0008.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05073670
- https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html
- https://helpx.adobe.com/security/products/livecycleds/apsb15-30.html
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/hp
- canonical/hp xp p9000 command view advanced edition
- canonical/hp xp7 command view advanced edition
- vendor/adobe
- canonical/adobe coldfusion
- version/adobe coldfusion/10.0
- version/adobe coldfusion/11.0
- canonical/adobe livecycle data services
- version/adobe livecycle data services/3.0
- version/adobe livecycle data services/4.5
- version/adobe livecycle data services/4.6
- version/adobe livecycle data services/4.7