Adobe Fixes ColdFusion Zero-Day – Again
Application Security
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development
Rework of Previous Update Available for ColdFusion Versions 2023, 2021 and 2018
Adobe released a fresh out-of-band security update to patch an improperly fixed ColdFusion zero-day vulnerability being actively exploited in the wild that allows attackers to bypass security controls. The update includes fixes for two other critical vulnerabilities.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
The critical zero-day, tracked as CVE-2023-38205, with a CVSS score of 7.5, is an instance of improper access control that results in a security bypass. “Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” Adobe’s security bulletin says.
The zero-day affects the following versions:
- ColdFusion 2023 – Update 2 and earlier versions
- ColdFusion 2021 – Update 8 and earlier versions
- ColdFusion 2018 – Update 18 and earlier versions
The Incomplete Fix
CVE-2023-38205 is a patch bypass for the incomplete fix for CVE-2023-29298, a ColdFusion authentication bypass discovered on July 11 by Rapid7 researcher Stephen Fewer.
Attackers used an exploit chain that capitalized on CVE-2023-29298 in the first part of the exploit and then used CVE-2023-29300/CVE-2023-38203 vulnerabilities to drop and run web shells on vulnerable ColdFusion servers to gain remote access to devices (see: Security Alert: Exploit Chain Actively Hits ColdFusion).
Adobe released an…