Summary
In July 2023, Adobe fixed a high severity access control bypass vulnerability (CVE-2023-29298, CVSS 7.5) in Adobe ColdFusion. Adobe ColdFusion is a web application development platform that uses the ColdFusion Markup Language (CFML) for server-side scripting. A threat actor can exploit this access control bypass vulnerability to log into a ColdFusion Administrator account, brute force credentials, or leak sensitive information. Adobe has stated they are aware that this vulnerability has been exploited in limited attacks.
Rapid7 additionally observed this vulnerability being chained with CVE-2023-38203 to install web shells. Subsequently, Rapid7 also found a bypass for the CVE-2023-29298 (now tracked as CVE-2023-38205) patch which was observed already being exploited in attacks.
Recommendations for CVE-2023-29298
Update Adobe ColdFusion to Fixed Version
Arctic Wolf strongly recommends upgrading Adobe ColdFusion to the latest fixed version.
Product |
Affected Version |
Fixed Version |
---|---|---|
Adobe ColdFusion 2018 |
Update 16 and earlier versions |
Update 19 |
Adobe ColdFusion 2021 |
Update 6 and earlier versions |
Update 9 |
Adobe ColdFusion 2023 |
Update 2 and earlier versions |
Update 3 |
Please follow your organization’s patching and testing guidelines to avoid operational impact.