Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw

2023-07-19 20:37

Adobe released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.

As part of today's out-of-band update, Adobe fixed three vulnerabilities: a critical RCE tracked as CVE-2023-38204, a critical Improper Access Control flaw tracked as CVE-2023-38205, and a moderate Improper Access Control flaw tracked as CVE-2023-38206.

Adobe says the CVE-2023-38205 flaw was abused in limited attacks.

"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," explains the Adobe security bulletin.

The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. On July 13th, Rapid7 observed attackers chaining exploits for the CVE-2023-29298 and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to gain remote access to devices.

Critical ColdFusion flaws exploited in attacks to drop webshells.

News URL

https://www.bleepingcomputer.com/news/security/adobe-fixes-patch-bypass-for-exploited-coldfusion-cve-2023-29298-flaw/

#adobe #bypass #coldfusion #patch #CVE-2023-38204 #CVE-2023-38205 #CVE-2023-38203 #CVE-2023-38206 #CVE-2023-29300 #CVE-2023-29298

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2023-09-14	CVE-2023-38206	Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. network low complexity adobe	5.3
2023-09-14	CVE-2023-38205	Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. network low complexity adobe	7.5
2023-09-14	CVE-2023-38204	Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. network low complexity adobe CWE-502 critical	9.8
2023-07-20	CVE-2023-38203	Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. network low complexity adobe CWE-502 critical	9.8
2023-07-12	CVE-2023-29300	Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. network low complexity adobe CWE-502 critical	9.8
2023-07-12	CVE-2023-29298	Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. network low complexity adobe	7.5

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Adobe		166	68	2164	962	2112	5306