ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Adobe Coldfusion vulnerabilities

Adobe Coldfusion

This live blog contains information regarding vulnerabilities in Adobe Coldfusion. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 20, 2023.

Update 20 July 2023

17:30 | On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.

The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.

WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.

There are software updates available to remediate the vulnerabilities. Our advice is to apply them as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.

The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.

Potential Risk

The vulnerabilities CVE-2023-29298, CVE-2023-38203, and CVE-2023-38205 have a CVSSv3-score of 9.8. The CVSS-scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. All three vulnerabilities are unauthenticated remote code execution vulnerabilities, allowing an unauthenticated remote attacker to execute code.

The vulnerabilities are exploited in the wild and there is also a proof-of-concept exploit publicly available.

Detail info

The vulnerabilities CVE-2023-29300, CVE-2023-38203, and CVE-2023-38204 are related to extracting untrustworthy data without performing sufficient verification of the data. Below an overview of all vulnerabilities:


Bulletin
Vulnerability Category Vulnerability Impact Severity CVSS base score CVE Numbers
 

APSB23-40

Improper Access Control Security feature bypass Critical 7.5 CVE-2023-29298
 

APSB23-40

Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-29300
 

APSB23-40

Improper Restriction of Excessive Authentication Attempts Security feature bypass Important 5.9 CVE-2023-29301
 

APSB23-41

Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-38203
 

APSB23-47

Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-38204
 

APSB23-47

Improper Access Control Security feature bypass Critical 7.5 CVE-2023-38205
 

APSB23-47

Improper Access Control Security feature bypass Moderate 5.3 CVE-2023-38206

The following Adobe Coldfusion products and versions are vulnerable:

  • ColdFusion 2018 update 18 and earlier versions
  • ColdFusion 2021 update 8 and earlier versions
  • ColdFusion 2023 update 2 and earlier versions

Adobe has made software patches available for the vulnerabilities. We advise to patch immediately. The vulnerabilities are resolved in the following software versions:

  • Coldfusion 2018 update 19
  • Coldfusion 2021 update 9
  • Coldfusion 2023 update 3

WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.

Indicators are known and research is being conducted into the available logging regarding these indicators for existing customers by our Security Operations Center.

IP-addresses:

  • 62.233.50[.]13
  • 5.182.36[.]4
  • 195.58.48[.]155

Domains:

  • oastify[.]com
  • ckeditr[.]cfm

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.