{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"format": "CVSS", "cvssV2_0": {"version": "2.0", "baseScore": 10, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:adobe:coldfusion:10.0:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update10:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update11:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update12:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update13:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update14:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update15:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update16:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update17:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update18:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update19:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update1:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update20:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update21:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update22:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update5:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update6:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update7:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update8:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:10.0:update9:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update10:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update11:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update1:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update5:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update6:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update7:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update8:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update9:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update1:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update3:*:*:*:*:*:*"], "vendor": "adobe", "product": "coldfusion", "versions": [{"status": "affected", "version": "10.0"}, {"status": "affected", "version": "11.0"}, {"status": "affected", "version": "2016"}], "defaultStatus": "unaffected"}], "references": [{"url": "http://www.securityfocus.com/bid/98003", "tags": ["broken-link", "third-party-advisory", "vdb-entry"]}, {"url": "http://www.securitytracker.com/id/1038364", "tags": ["broken-link", "third-party-advisory", "vdb-entry"]}, {"url": "https://www.exploit-db.com/exploits/43993/", "tags": ["exploit", "third-party-advisory", "vdb-entry"]}, {"url": "https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html", "tags": ["patch", "vendor-advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3066", "tags": ["x_us-government-resource"]}], "descriptions": [{"lang": "en", "value": "Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution."}, {"lang": "es", "value": "Adobe ColdFusion 2016 Update 3 y anteriores, ColdFusion 11 update 11 y anteriores, ColdFusion 10 Update 22 y anteriores tienen una vulnerabilidad de deserialización de Java en la librería Apache BlazeDS. Una explotación exitosa podría conducir a la ejecución arbitraria de código."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-A000-000000000003", "shortName": "nvd", "dateUpdated": "2017-04-27T14:59:00Z", "x_subShortName": "nvd"}}}, "cveMetadata": {"cveId": "CVE-2017-3066", "state": "PUBLISHED", "dateUpdated": "2026-04-22T12:14:13Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2017-04-27T14:59:00Z", "assignerShortName": "adobe"}, "dataVersion": "5.0"}