Vulnerability Details : CVE-2014-5468
Public exploit exists!
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
Vulnerability category: Input validationExecute code
Exploit prediction scoring system (EPSS) score for CVE-2014-5468
Probability of exploitation activity in the next 30 days: 37.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2014-5468
-
Railo Remote File Include
Disclosure Date: 2014-08-26First seen: 2020-04-26exploit/linux/http/railo_cfml_rfiThis module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable <cffile> line in thumbnail.cfm allows an attacker to download an arbitrary PNG fi
CVSS scores for CVE-2014-5468
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2014-5468
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5468
-
http://packetstormsecurity.com/files/128234/Railo-4.2.1-Remote-File-Inclusion.html
Railo 4.2.1 Remote File Inclusion ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95959
Railo thumbnail.cfm file include CVE-2014-5468 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://vulmon.com/vulnerabilitydetails?qid=CVE-2014-5468
CVE-2014-5468 A File Inclusion vulnerability exists in Railo 4...Third Party Advisory
-
https://www.securityfocus.com/bid/69761
Railo CVE-2014-5468 Remote File Include VulnerabilityThird Party Advisory;VDB Entry
-
http://www.exploit-db.com/exploits/34669
Railo 4.2.1 - Remote File Inclusion (Metasploit) - Multiple remote ExploitExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2014-5468
- cpe:2.3:a:getrailo:railo:*:*:*:*:*:*:*:*