Jul 20, 2023THNSoftware Security / Vulnerability

ColdFusion Vulnerability

Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild.

The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions:

  • ColdFusion 2023 (Update 2 and earlier versions)
  • ColdFusion 2021 (Update 8 and earlier versions), and
  • ColdFusion 2018 (Update 18 and earlier versions)

“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company said.

The update also addresses two other flaws, including a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass (CVE-2023-38206, CVSS score: 5.3).

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

The disclosure arrives days after Rapid7 warned that the fix put in place for CVE-2023-29298 was incomplete and that it could be trivially sidestepped by malicious actors. The cybersecurity firm has confirmed that the new patch completely plugs the security hole.

CVE-2023-29298, an access control bypass vulnerability, has been weaponized in real-world attacks by chaining it with another flaw that’s suspected to be CVE-2023-38203 to drop web shells on compromised systems for backdoor access.

Adobe ColdFusion users are highly recommended to update their installations to the latest version to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source: thehackernews.com/