The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.
The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).
The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.
The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.
Because this is an ‘out of band’ update – a polite way of saying it’s unexpected and urgent – Adobe offers only placeholder descriptions of their nature.
All three are credited to external researchers, (in above vulnerability order) ‘Badcode’ of the Knownsec 404 Team, Daniel Underhay of Aura Information Security, and Pete Freitag / Foundeo Inc.
Emergency fixes for ColdFusion products aren’t that common although it did receive one in March which, on that occasion, was being exploited in the wild.
While there’s no indication that’s happening with the latest flaws, they still deserve urgent attention.
Adobe’s next scheduled update (which may or may not contain new ColdFusion fixes) is due with Windows’ October Patch Tuesday on 8 October.