CVE-2009-3960
CVE-2009-3960 is a medium-severity vulnerability in Adobe Blazeds with a CVSS 3.x base score of 6.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-07).
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.3
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-07)
- EU (EUVD) id: EUVD-2009-3931
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-07)
- Affected product: Adobe Blazeds
- Published:
- Last modified:
Description
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
CVE-2009-3960: Adobe BlazeDS XML External Entity Information Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2009-3960 |
| Published | 2010-02-15 |
| CVSS v2 | 4.3 (MEDIUM) — AV:N/AC:M/Au:N/C:P/I:N/A:N |
| CVSS v3 | 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| EPSS | 0.90012 (99.78th percentile) |
| KEV | Yes (CISA added 2022-03-07) |
| CWE | Not assigned in NVD; behavior aligns with XML External Entity (XXE) processing |
Summary
Adobe BlazeDS 3.2 and earlier versions contain an unspecified vulnerability involving injected tags and external entity references in XML documents. The flaw allows remote, unauthenticated attackers to obtain sensitive information from systems running affected Adobe products.
Background
BlazeDS is a remoting and messaging technology used to connect Adobe Flex and AIR applications with back-end services. It is bundled with multiple Adobe enterprise platforms including ColdFusion, Adobe LiveCycle, and Flex Data Services. In early 2010, Adobe released security bulletin APSB10-05 to address this vulnerability across the affected product lines.
Root Cause
The official CWE identifier is not recorded in NVD. However, the vulnerability description explicitly references "injected tags and external entity references in XML documents," which is characteristic of an XML External Entity (XXE) processing flaw (CWE-611). The issue stems from the BlazeDS XML parser resolving external entities within user-supplied XML payloads, allowing attackers to read local files or perform server-side request forgery.
Impact
- CVSS v2 Score: 4.3 (MEDIUM) — Network exploitable with medium complexity; no authentication required. Confidentiality impact is Partial.
- CVSS v3 Score: 6.5 (MEDIUM) — Network attack with low complexity, no privileges required, but user interaction is required. Confidentiality impact is High.
- Availability / Integrity: No impact on integrity or availability per the official vector.
- EPSS: 0.90012 (90.01% probability of exploitation), placing it in the 99.78th percentile, indicating extremely high real-world exploit likelihood.
- Known Exploited Vulnerability (KEV): Yes — added to the CISA KEV catalog on 2022-03-07, confirming active exploitation in the wild.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. Do not use this information to attack systems without explicit authorization. Unauthorized access to computer systems is illegal in most jurisdictions.
An attacker crafts a malicious XML document containing external entity references and submits it to a BlazeDS endpoint (for example, via an AMF remoting gateway or message destination that accepts XML). If the parser resolves the external entity, the attacker can coerce the server to read arbitrary local files or make outbound requests. The resulting data may be reflected in error messages, responses, or application logs.
Defenders should test their BlazeDS endpoints for XXE by:
- Submitting benign XML payloads with defined internal entities to verify parsing behavior.
- Monitoring server logs for unexpected outbound connections or file-read events.
- Reviewing XML parser configurations for external entity resolution settings.
Affected and Patched Versions
Affected products and versions:
- Adobe BlazeDS 3.2 and earlier
- Adobe ColdFusion 7.0.2, 8.0, 8.0.1, 9.0
- Adobe Flex Data Services 2.0.1
- Adobe LiveCycle 8.0.1, 8.2.1, 9.0
- Adobe LiveCycle Data Services 2.5.1, 2.6.1, 3.0
Patches: Adobe released security bulletin APSB10-05 with patches for all affected products. Administrators should apply the vendor-provided updates for their specific product and version.
Remediation
- Patch: Apply the updates from Adobe Security Bulletin APSB10-05 for the affected product.
- Disable External Entities: If patching is not immediately feasible, configure the underlying XML parser to disable external entity resolution and DTD processing.
- Network Segmentation: Restrict BlazeDS endpoints to authorized clients only; do not expose remoting interfaces to untrusted networks.
- Input Validation: Implement strict validation on all XML inputs; reject documents containing DTD declarations or external entity references where possible.
- WAF / IDS: Deploy web-application firewall rules that detect XML payloads containing DTDs or entity expansion patterns.
Detection
- Monitor application logs for unusual XML parsing errors or unexpected file-read operations.
- Alert on outbound network connections from BlazeDS application servers to unexpected destinations.
- Use file-integrity monitoring to detect unauthorized modifications to BlazeDS configuration files.
- Review HTTP request logs for large XML payloads or requests containing
DOCTYPEdeclarations.
Assessment
Despite the moderate CVSS scores, the EPSS of 0.90012 and CISA KEV listing make this a high-priority remediation item. The gap between the CVSS v2 score (4.3) and the actual threat level illustrates a classic limitation of older scoring models: information-disclosure vulnerabilities with low complexity can be trivially weaponized and are frequently exploited in the wild.
Key lessons:
- CVSS alone does not capture exploitation prevalence; always pair with EPSS and KEV data.
- XXE vulnerabilities in middleware (like BlazeDS) have a broad blast radius because they affect every application built on that platform.
References
- http://secunia.com/advisories/38543
- http://securitytracker.com/id?1023584
- http://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.osvdb.org/62292
- http://www.securityfocus.com/bid/38197
- https://www.exploit-db.com/exploits/41855/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960
Frequently asked questions
- What is CVE-2009-3960?
- Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
- How severe is CVE-2009-3960?
- CVE-2009-3960 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2009-3960 being actively exploited?
- Yes. CVE-2009-3960 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2009-3960?
- CVE-2009-3960 primarily affects Adobe Blazeds. In total, 12 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2009-3960?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2009-3960 have an EU (EUVD) identifier?
- Yes. CVE-2009-3960 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2009-3931. It is also flagged as exploited in the EUVD (since 2022-03-07).
- When was CVE-2009-3960 published?
- CVE-2009-3960 was published on 2010-02-15 and last updated on 2026-06-16.
References
- http://secunia.com/advisories/38543
- http://securitytracker.com/id?1023584
- http://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.osvdb.org/62292
- http://www.securityfocus.com/bid/38197
- https://www.exploit-db.com/exploits/41855/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960
Affected products (12)
- cpe:2.3:a:adobe:blazeds:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flex_data_services:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:3.0:*:*:*:*:*:*:*
More vulnerabilities in Adobe Blazeds
- CVE-2011-2092 — Critical (CVSS 10.0): Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not…
- CVE-2011-2093 — Medium (CVSS 5.0): Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not…