CVE-2015-5255: Input Validation
First published: Wed Nov 18 2015(Updated: )
Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HP P9000 Command View Advanced Edition Software | ||
| HP P9000 Command View Advanced Edition Software | ||
| Adobe ColdFusion | <=10.0 | |
| Adobe ColdFusion | <=11.0 | |
| Adobe LiveCycle Data Services | =3.0 | |
| Adobe LiveCycle Data Services | =4.5 | |
| Adobe LiveCycle Data Services | =4.6 | |
| Adobe LiveCycle Data Services | =4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=bugtraq&m=145996963420108&w=2
- http://packetstormsecurity.com/files/134506/Apache-Flex-BlazeDS-4.7.1-SSRF.html
- http://www.securityfocus.com/archive/1/536958/100/0/threaded
- http://www.securityfocus.com/bid/77626
- http://www.securitytracker.com/id/1034210
- http://www.vmware.com/security/advisories/VMSA-2015-0008.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05073670
- https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html
- https://helpx.adobe.com/security/products/livecycleds/apsb15-30.html
Frequently Asked Questions
What is the severity of CVE-2015-5255?
CVE-2015-5255 has a critical severity level due to its potential for SSRF (Server-Side Request Forgery) exploitation.
How do I fix CVE-2015-5255?
To mitigate CVE-2015-5255, update Adobe ColdFusion to the latest version or apply the patches provided by Adobe.
Which versions of Adobe software are affected by CVE-2015-5255?
CVE-2015-5255 affects Adobe ColdFusion 10 (before Update 18), ColdFusion 11 (before Update 7), and various versions of Adobe LiveCycle Data Services.
Is there a workaround for CVE-2015-5255?
Disabling or restricting SSRF functionality in your affected applications can serve as a temporary workaround for CVE-2015-5255.
What are the potential risks of CVE-2015-5255 exploitation?
Exploitation of CVE-2015-5255 could allow remote attackers to send unauthorized HTTP requests, potentially leading to further attacks on the internal network.
- agent/weakness
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/hp
- canonical/hp p9000 command view advanced edition software
- vendor/adobe
- canonical/adobe coldfusion
- version/adobe coldfusion/10.0
- version/adobe coldfusion/11.0
- canonical/adobe livecycle data services
- version/adobe livecycle data services/3.0
- version/adobe livecycle data services/4.5
- version/adobe livecycle data services/4.6
- version/adobe livecycle data services/4.7