Vulnerability Bulletins |
Aumento de privilegios en Adobe BlazeDS, Flex y ColdFusion |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Aumento de privilegios |
Dificulty | Experto |
Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
Property | Value |
Affected manufacturer | Comercial Software |
Affected software |
Adobe BlazeDS 3.2 Adobe LiveCycle 8 y 9 Adobe LiveCycle Data Services Adobe Flex Data Services Adobe ColdFusion 7, 8 y 9 |
Description |
|
Se ha descubierto una vulnerabilidad en BlazeDS 3.2, LiveCycle 8 y 9, LiveCycle Data Services, Flex Data Services y ColdFusion. Un atacante remoto podría obtener información privilegiada mediante métodos relacionados con peticiones con referencias a entidades externas en documentos XML. Prueba de concepto disponible. |
|
Solution |
|
Actualización de software Adobe BlazeDS http://download.macromedia.com/pub/security/bulletins/blz32_hf_12617.zip LiveCycle 9.0 http://download.macromedia.com/pub/security/bulletins/livecycle9_0.zip LiveCycle 8.2.1 http://download.macromedia.com/pub/security/bulletins/livecycle8_2_1.zip LiveCycle 8.0.1 http://download.macromedia.com/pub/security/bulletins/livecycle8_0_1.zip LiveCycle Data Services 2.5.1 http://download.macromedia.com/pub/security/bulletins/lcds251_hf_262793.zip LiveCycle Data Services 2.6.1 http://download.macromedia.com/pub/security/bulletins/lcds261_hf_262977.zip LiveCycle Data Services 3.0 http://download.macromedia.com/pub/security/bulletins/lcds3_hf_262986.zip Flex Data Services 2.0.1 http://download.macromedia.com/pub/security/bulletins/fds201_hf_262793b.zip ColdFusion http://kb2.adobe.com/cps/822/cpsid_82241.html |
|
Standar resources |
|
Property | Value |
CVE | CVE-2009-3960 |
BID | 38197 |
Other resources |
|
Adobe Security Bulletin (APSB10-05) http://www.adobe.com/support/security/bulletins/apsb10-05.html |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2010-02-23 |
1.1 | Aviso actualizado por Adobe (APSA10-05) | 2010-03-22 |