Adobe ColdFusion Improper Access Control Vulnerability - 20230721001

Overview

Rapid7 and Adobe disclosed CVE-2023-29298, an access control bypass vulnerability affecting ColdFusion, which Rapid7 had reported to Adobe in April 2023. The vulnerability allows an attacker to bypass the product feature that restricts external access to the ColdFusion Administrator. Upon review of the patch for CVE-2023-29298 Rapid7 discovered that the patch released does not successfully remediate the original issue and can be bypassed by an attacker. Adobe assigned CVE-2023-38205 to the patch bypass and has issued a complete fix.

What is the vulnerability?

• CVE-2023-29298 - CVSS v3 Base Score: 7.5
• CVE-2023-38205 - CVSS v3 Base Score: N/A

What is vulnerable?

The vulnerability exists in the following products:

• ColdFusion 2023 Update 2 and earlier versions
• ColdFusion 2021 Update 8 and earlier versions
• ColdFusion 2018 Update 18 and earlier versions

What has been observed?

CISA added this vulnerabilty in their Known Exploited Vulnerabilties catalog on July 20, 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks... (refer Patch Management):

• Adobe Security Bulletin