Adobe apsb24-14 and cve 2024-20767

I wanted to ask, just to be sure. There are no Lucee issues related to the recent Adobe CF updates. Is that correct?

Other than the possibility of unscoped variables being replaced by values from an unexpected scope if they happen to be undefined in some cases.

I’m being asked by our security people since they saw the Adobe update.

@mattdyer This is only based on my personal review and current available information - but I don’t see anything new that’s directly related between Lucee and APSB24-14. A few observations:

  • CVE-2024-20767 is described as an “Arbitrary file system read,” but with no other details, it’s just a guess whether the vulnerable functionality is in something unique to ACF, or a universal CFML thing. (My guess is the former.)

  • As you mention, the risks and recommendations around unscoped variables are already well-known and well-documented.

  • Some changes were made to the default allowed extensions in <cffile>, but the he risks and recommendations around file uploads are already well-known and well-documented.

  • Only http/https protocols are enabled by default for <iframe src="..."> URIs inside of <cfdocument> tags - but the risks and recommendations for validating user-controlled input that flows in <cfdocument> are already well-known and well-documented. And I haven’t dug into the relevant Lucee code, but quick testing has shown that Lucee’s <cfdocument> doesn’t process embedded <iframe>s anyway.