Critical Vulnerability in Adobe ColdFusion

The Critical vulnerability could allow an unauthenticated attacker to perform remote code execution

Threat ID:: CC-4360
Threat Severity:: Medium
Published:: 19 July 2023 2:40 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The Critical vulnerability could allow an unauthenticated attacker to perform remote code execution

Affected platforms

The following platforms are known to be affected:

Adobe ColdFusion

ColdFusion 2018 - Versions 16 and earlier
ColdFusion 2021 - Versions 6 and earlier
ColdFusion 2023 - Versions GA Release (2023.0.0.330468)

Threat details

Evidence of CVE-2023-29300 and CVE-2023-26359 being exploited in the wild

Reports have indicated that the Critical vulnerability CVE-2023-29300 is being actively exploited in the wild. The Critical vulnerability CVE-2023-26359 has also been added to CISA's Known Exploited Vulnerability Catalog.

Introduction

Adobe has released a security bulletin addressing a Critical vulnerability in ColdFusion. The Critical vulnerability is known as CVE-2023-29300 and has a CVSSv3 score of 9.8.

CVE-2023-29300 is a pre-authentication remote code execution vulnerability, which could allow an unauthenticated attacker to perform remote code execution.

There are also two further vulnerabilities within the bulletin tracked as CVE-2023-29298 and CVE-2023-29301.

Vulnerability details

CVE-2023-29298 - A Critical vulnerability which could allow an attacker to bypass Adobe security features.
CVE-2023-29300 - A Critical vulnerability, which could allow an unauthenticated attacker to perform remote code execution.
CVE-2023-29301 - A Medium vulnerability, which could allow an attacker to bypass Adobe security features.

Threat updates

Date	Update
23 Aug 2023	CVE-2023-26359 added to the Known Exploited Vulnerability Catalog This article has been updated to reflect this change.

Remediation advice

Affected organisations are required to review the Adobe Security Bulletin and apply the relevant updates.

Definitive source of threat updates

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

CVE Vulnerabilities

Status Published

CVE-2023-29298

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Status Published

CVE-2023-29300

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Status Published

CVE-2023-29301

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction.

Status Published

CVE-2023-26359

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Last edited: 23 August 2023 3:21 pm