- 168/2023
- Critical
Adobe has released security updates to fix multiple vulnerabilities in Adobe ColdFusion.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code on the system via the deserialization of untrusted data or bypass security restrictions by persuading the victim to open a specially crafted file.
Sample of the addressed vulnerabilities:
1. Adobe ColdFusion Code Execution Vulnerability (CVE-2023-38203):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Adobe ColdFusion Security Bypass Vulnerability (CVE-2023-29298):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
The affected versions:
- ColdFusion 2018 update 17 and earlier versions.
- ColdFusion 2021 update 7 and earlier versions.
- ColdFusion 2023 update 1 and earlier versions, GA Release (2023.0.0.330468).
It should be highlighted that threat actors are actively exploiting ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-38203) to bypass authentication and remotely execute commands to install webshells on vulnerable servers.
Additionally, security researchers have discovered that the recent fix for (CVEReport 2023-29298) flaw can still be bypassed, so enterprises should expect another patch by Adobe.
Vulnerabilities
- CVE-2023-29298
- CVE-2023-29300
- CVE-2023-29301
- CVE-2023-38203
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.