Adobe has released another update to address an incomplete fix for a recently disclosed and actively exploited ColdFusion flaw.
Tracked as significant drawbacks are: CVE-2023-38205 (CVSS score: 7.5) has been described as an example of poor access control that can lead to security bypass. Affects the following versions:
- ColdFusion 2023 (versions prior to Update 2)
- ColdFusion 2021 (Update 8 and earlier versions), and
- ColdFusion 2018 (versions prior to Update 18)
“Adobe is aware that CVE-2023-38205 is being exploited in limited attacks targeting Adobe ColdFusion,” the company said.
This update fixes a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution, and a second flaw that could open the door to a security bypass. It also addresses two other flaws, including a proper access control flaw (CVE-2023-38206, CVSS score: 5.3).
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
This disclosure comes days after Rapid7 warned that the fix for CVE-2023-29298 was incomplete and could be easily circumvented by malicious actors. The cybersecurity firm has confirmed that the new patch completely closes the security hole.
The access control bypass vulnerability, CVE-2023-29298, can be chained with another suspected flaw, CVE-2023-38203, to drop a web shell onto a compromised system for backdoor access. Weaponized with real-world attacks.
Adobe ColdFusion users are strongly encouraged to update their installations to the latest version to mitigate potential threats.
