CVE-2023-29298: 
Adobe ColdFusion 2018 vulnerability analysis and mitigation

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier), and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability (CVE-2023-29298) that could result in a security feature bypass. The vulnerability was discovered by Rapid7 and reported to Adobe on April 11, 2023. This vulnerability allows attackers to bypass access controls and access the administration CFM and CFC endpoints without requiring user interaction (NVD, Rapid7).

The vulnerability exists in the access control feature implemented in the coldfusion.filter.IPFilterUtils class. The issue stems from the way the checkAdminAccess method validates URL paths using java.lang.String.startsWith. An attacker can bypass this control by inserting an additional forward slash character at the start of the URL path (e.g., //CFIDE/adminapi instead of /CFIDE/adminapi), which causes the startsWith check to fail while still allowing access to the resource. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) (Rapid7).

The vulnerability undermines the security guarantees offered by the ColdFusion Secure Profile. An attacker can access 437 CFM files and 96 CFC endpoints within the ColdFusion Administrator path /CFIDE/. This access allows attackers to log in to the ColdFusion Administrator with known credentials, attempt credential bruteforce attacks, leak sensitive information, and potentially exploit vulnerabilities in the exposed endpoints (Rapid7).

Adobe has released fixes for this vulnerability on July 11, 2023. Users should upgrade to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, or ColdFusion 2018 Update 17. It's worth noting that Rapid7 reported an incomplete fix for this issue to Adobe on June 30, 2023, which led to a subsequent patch (Rapid7).