Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-38205
CVE-2023-38205:
Adobe ColdFusion 2018 vulnerability analysis and mitigation
Overview
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier), and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability (CVE-2023-38205) that could result in a security feature bypass. The vulnerability was discovered in July 2023 and allows attackers to access the administration CFM and CFC endpoints without requiring user interaction (NVD, Rapid7 Blog).
Technical details
The vulnerability stems from an incomplete fix for CVE-2023-29298, specifically in how ColdFusion handles ColdFusion Modules (CFM) and ColdFusion Component (CFC) endpoints when resolving paths. The issue lies in the Utils.collapseDotDots method, where an attacker can bypass access control by using a URL path like '/hax/..CFIDE/wizards/common/utils.cfc'. The method transforms the path incorrectly, allowing access to restricted endpoints. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Rapid7 Blog).
Impact
The vulnerability allows attackers to bypass security features and access administration CFM and CFC endpoints. This access control bypass could potentially lead to unauthorized access to sensitive administrative functions. Adobe has confirmed that the vulnerability has been exploited in the wild in limited attacks targeting Adobe ColdFusion (Rapid7 Blog, Hacker News).
Mitigation and workarounds
Adobe has released patches to address this vulnerability on July 19, 2023. The fixed versions are: Adobe ColdFusion 2023 Update 3, Adobe ColdFusion 2021 Update 9, and Adobe ColdFusion 2018 Update 19. Due to active exploitation in the wild, users are strongly recommended to update to the latest versions immediately without waiting for regular patch cycles (Rapid7 Blog).
Community reactions
Adobe acknowledged the severity of the vulnerability and confirmed its exploitation in the wild. The company provided an official statement to Rapid7: 'Adobe recommends updating ColdFusion installations to the latest release. Please see APSB23-47 for more information. Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.' (Rapid7 Blog)
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management