Adobe has recently issued a fresh set of updates to rectify an incomplete fix for a recently revealed vulnerability in ColdFusion, which has been actively exploited in real-world scenarios.
CVE-2023-38205
This critical issue, identified as CVE-2023-38205 with a CVSS score of 7.5, is categorized as improper access control, posing a potential security bypass threat. The impacted versions include:
ColdFusion 2023 (Update 2 and earlier versions)
ColdFusion 2021 (Update 8 and earlier versions)
ColdFusion 2018 (Update 18 and earlier versions)
According to Adobe, they are aware of limited attacks targeting Adobe ColdFusion through the exploitation of CVE-2023-38205.
The update not only addresses CVE-2023-38205 but also tackles two other vulnerabilities. One of them is a critical deserialization flaw known as CVE-2023-38204, CVSS score 9.8, that could lead to remote code execution. The other vulnerability, CVE-2023-38206, is also related to improper access control (CVSS score 5.3) and could potentially result in a security bypass.
What Is Adobe ColdFusion?
Adobe ColdFusion is a commercial web application development platform and programming language developed by Adobe Systems (formerly Macromedia). It allows developers to build dynamic websites, web applications, and web services by enabling easy integration with databases and other technologies. ColdFusion is known for its rapid development capabilities and offers a high level of productivity for creating feature-rich web applications.
CVE-2023-29298
On July 11, 2023, both Rapid7 and Adobe made a joint disclosure about CVE-2023-29298, an access control bypass vulnerability that impacts ColdFusion. Rapid7 had previously reported this vulnerability to Adobe in April 2023. The flaw enables attackers to circumvent the security measure that restricts external access to the ColdFusion Administrator.
At the time of their coordinated disclosure, both Rapid7 and Adobe believed that CVE-2023-29298 had been fixed. However, it’s important to note that Rapid7 explicitly stated that they had not tested the patch released by Adobe.
Just days after being warned by Rapid7 about the incomplete fix for CVE-2023-29298, which could be easily bypassed by malicious individuals, this new disclosure was made. The cybersecurity firm has now confirmed that the latest patch effectively addresses the security gap.
The vulnerability CVE-2023-29298, classified as an access control bypass, has already been exploited in real-world attacks. In these incidents, attackers have combined it with another suspected flaw, possibly CVE-2023-38203, to deploy web shells on compromised systems and establish backdoor access.
For Adobe ColdFusion users, it is highly advised to promptly update their installations to the most recent version as a precautionary measure against potential threats.