CVE-2023-29300: 
Adobe ColdFusion 2018 vulnerability analysis and mitigation

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier), and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability (CVE-2023-29300) that could result in arbitrary code execution. The vulnerability was discovered by Nicolas Zilio of CrowdStrike and was disclosed on July 11, 2023. This vulnerability is particularly concerning as it does not require user interaction for exploitation (NVD).

The vulnerability is classified as a Deserialization of Untrusted Data (CWE-502) issue. It received a CVSS v3.1 Base Score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature. The vulnerability involves the Web Distributed Data eXchange (WDDX) functionality in ColdFusion, where the application implements a denylist of classes that cannot be deserialized (Rapid7).

The vulnerability could result in arbitrary code execution on affected systems. Given its critical severity rating and the fact that it requires no user interaction, successful exploitation could allow attackers to take complete control of the affected system. The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog, highlighting its significant security impact (NVD).

Adobe has released security updates to address this vulnerability. Organizations are advised to update to Adobe ColdFusion 2018 Update 19, ColdFusion 2021 Update 9, or ColdFusion 2023 Update 3. CISA has directed federal agencies to apply vendor-provided mitigations or discontinue use of the product if mitigations are unavailable (Rapid7).