- 172/2023
- Critical
Adobe has released security updates to fix multiple vulnerabilities in Adobe ColdFusion.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code on the system via the deserialization of untrusted data or bypass security restrictions by persuading the victim to open a specially crafted file.
Sample of the addressed vulnerabilities:
1. Adobe ColdFusion Code Execution Vulnerability (CVE-2023-38204):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Adobe ColdFusion Security Bypass Vulnerability (CVE-2023-38205):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
The affected versions:
- ColdFusion 2018 update 18 and earlier versions.
- ColdFusion 2021 update 8 and earlier versions.
- ColdFusion 2023 update 2 and earlier versions.
It should be highlighted that Adobe is aware that “CVE-2023-38205” has been exploited in the wild. Additionally, Adobe noted that if users become aware of any package with a deserialization vulnerability in the future, they should use the “serialfilter.txt” file in “<cfhome>/lib” to denylist the package.
Vulnerabilities
- CVE-2023-38204
- CVE-2023-38205
- CVE-2023-38206
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.