Adobe has released a new update round to address an incomplete fix for a recently disclosed ColdFusion flaw that has been actively exploited in the wild.
Critical flaws, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an example of improper access control that could result in security bypass. This impacts the following versions:
- ColdFusion 2023 (Update 2 and earlier)
- ColdFusion 2021 (Update 8 and earlier), and
- ColdFusion 2018 (Update 18 and earlier)
“Adobe is aware that CVE-2023-38205 has been wildly exploited in a limited attack targeting Adobe ColdFusion,” the company said. said.
The update also addresses two other vulnerabilities, including a critical deserialization bug (CVE-2023-38204CVSS score: 9.8) which can lead to improper remote code execution and second access control flaws which can also pave the way for security bypass (CVE-2023-38206CVSS score: 5.3).
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The disclosure comes days after Rapid7 warned that the fix made for CVE-2023-29298 was incomplete and could be bypassed by bad actors. Cybersecurity companies have confirmed that the new patch completely clogs the security hole.
CVE-2023-29298, an access control bypass vulnerability, has been weaponized in real-world attacks by chaining it with another suspected flaw CVE-2023-38203 to drop a web shell on a compromised system for backdoor access.
Adobe ColdFusion users are strongly advised to update their installation to the latest version to mitigate potential threats.