Adobe has released a set of updates to address a critical flaw in ColdFusion, tracked as CVE-2023-38205, which had an incomplete fix and was actively exploited in the wild. The vulnerability is described as an instance of improper access control that could result in a security bypass.
It affects several versions of ColdFusion, including ColdFusion 2023 (Update 2 and earlier versions), ColdFusion 2021 (Update 8 and earlier versions), and ColdFusion 2018 (Update 18 and earlier versions). Adobe acknowledged that CVE-2023-38205 had been targeted in limited attacks against Adobe ColdFusion.
Apart from addressing CVE-2023-38205, the update also fixed two other flaws. One of them is a critical deserialization bug, CVE-2023-38204, which could lead to remote code execution.
The second flaw is another improper access control issue, CVE-2023-38206, which could also allow for a security bypass. Rapid7 previously warned that the initial fix for CVE-2023-29298, an access control bypass vulnerability, was incomplete, and this could be exploited by malicious actors to deploy web shells on compromised systems for backdoor access.
Adobe ColdFusion users are strongly advised to update their installations to the latest versions to mitigate potential threats. The cybersecurity firm Rapid7 confirmed that the new patch completely plugs the security hole, ensuring better protection against the active exploitation. The company’s prompt response and update release demonstrate their commitment to addressing vulnerabilities and safeguarding users from potential risks in their software products.
Keeping software up-to-date is crucial in maintaining a secure computing environment and defending against cyber threats.