ColdFusion MX contains a potential buffer overflow when it is used with Microsoft IIS 4.0 or 5.0. The buffer overflow could be triggered maliciously by a remote attacker or inadvertently by an authorized user, resulting in a denial of service (DoS).
When requesting certain ColdFusion templates with file names longer than 8,192 characters or HTTP headers longer than 4,096 characters, Microsoft IIS can become unresponsive. The ColdFusion template that is requested does not have to be valid to trigger the buffer overflow. A remote attacker could use this weakness to construct a DoS attack that affects IIS and the ColdFusion MX server.
A patch is available.