Rewterz Threat Advisory – Multiple Adobe ColdFusion Vulnerabilities Exploited in the Wild

Severity

High

Analysis Summary

CVE-2023-38206 CVSS:5.3

Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an improper access control vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to bypass the security feature.

CVE-2023-38205 CVSS:7.5

Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an improper access control vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to bypass the security feature.

CVE-2023-38204 CVSS:9.8

Adobe ColdFusion could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-29298 CVSS:7.5

Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an improper access control vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to bypass the security feature.

Impact

• Security Bypass
• Code Execution

Indicators Of Compromise

CVE

• CVE-2023-38206
• CVE-2023-38205
• CVE-2023-38204
• CVE-2023-29298

Affected Vendors

Adobe

Affected Products

• Adobe ColdFusion 2018 Update 16
• Adobe ColdFusion 2021 Update 6
• Adobe ColdFusion 2023 GA Release (2023.0.0.330468)
• Adobe ColdFusion 2023 Update 2
• Adobe ColdFusion 2021 Update 8
• Adobe ColdFusion 2018 Update 18

Remediation

Refer to Adobe Security Bulletin for patch, upgrade or suggested workaround information.

CVE-2023-38206

CVE-2023-38205

CVE-2023-38204

CVE-2023-29298