無料スキャン
LOWCVE-2026-27308CVSS 2.4

ColdFusion | Uncontrolled Resource Consumption (CWE-400)

翻訳中…

プラットフォーム

coldfusion

コンポーネント

coldfusion

修正版

2025.6.1

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-27308 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, potentially leading to a denial-of-service condition and reduced application performance. The vulnerability affects ColdFusion versions 2023.18, 2025.6, and earlier, but has been resolved in version 2025.6.1.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-27308 can result in a denial-of-service (DoS) condition for the ColdFusion application. An attacker, possessing elevated privileges, can trigger resource exhaustion, causing the application to slow down significantly or become unresponsive. This can disrupt business operations and potentially impact users' ability to access critical services. While the vulnerability doesn't require user interaction, it necessitates an attacker with sufficient permissions to manipulate the ColdFusion environment. The blast radius is limited to the affected ColdFusion application and its underlying infrastructure.

悪用の状況翻訳中…

CVE-2026-27308 has been publicly disclosed on 2026-04-14. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog.

リスク対象者翻訳中…

Organizations running ColdFusion versions 2023.18, 2025.6, or earlier are at risk. This includes those with legacy ColdFusion deployments, shared hosting environments where ColdFusion is installed, and those who haven't recently updated their ColdFusion instances.

検出手順翻訳中…

• coldfusion:

Get-Process -Name ColdFusion | Select-Object CPU, WorkingSet, VirtualMemory

• coldfusion:

Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='ColdFusion']]]" -MaxEvents 100

• generic web: Check ColdFusion application logs for unusual patterns of requests or errors that might indicate resource exhaustion.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

EPSS

0.02% (6% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能no
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L2.4LOWAttack VectorAdjacent攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredHigh攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityNone機密データ漏洩のリスクIntegrityNone不正データ改ざんのリスクAvailabilityLowサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
隣接 — 同一LAN・Bluetooth・ローカル無線セグメントへの近接が必要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
高 — 管理者または特権アカウントが必要。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
なし — 機密性への影響なし。
Integrity
なし — 完全性への影響なし。
Availability
低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントcoldfusion
ベンダーAdobe
影響範囲修正版
0.0.0 – 2025.62025.6.1

弱点分類 (CWE)

CWE-400

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-27308 is to upgrade ColdFusion to version 2025.6.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting requests to the ColdFusion application. Monitor system resource utilization (CPU, memory, disk I/O) for unusual spikes that could indicate exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.

修正方法翻訳中…

Adobe recomienda actualizar a la versión 2025.6.1 o posterior para mitigar esta vulnerabilidad.  La actualización corrige el problema de consumo excesivo de recursos que podría llevar a una denegación de servicio. Consulte la página de Adobe Security Advisory APSB26-38 para obtener más detalles e instrucciones de actualización.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2026-27308 — DoS in ColdFusion?

CVE-2026-27308 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, impacting application speed.

Am I affected by CVE-2026-27308 in ColdFusion?

You are affected if you are running ColdFusion versions 2023.18, 2025.6, or earlier. Upgrade to 2025.6.1 or later to mitigate the risk.

How do I fix CVE-2026-27308 in ColdFusion?

Upgrade ColdFusion to version 2025.6.1 or later. As a temporary workaround, implement rate limiting for requests to the application.

Is CVE-2026-27308 being actively exploited?

There are currently no reports of active exploitation, and no public proof-of-concept code is available.

Where can I find the official ColdFusion advisory for CVE-2026-27308?

Refer to the Adobe Security Bulletin for CVE-2026-27308 on the Adobe website.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索