Adobe has released a second round of patches for some recently disclosed ColdFusion vulnerabilities, including flaws that appear to have been exploited in attacks.
On July 11, Adobe announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass. On July 14, the company informed customers about fixes for CVE-2023-38203, a deserialization issue that could lead to arbitrary code execution.
A few days later, cybersecurity firm Rapid7 reported seeing attacks aimed at ColdFusion users. The company’s analysis showed that the attackers had exploited CVE-2023-29298 and chained it with what appeared to be CVE-2023-38203.
Rapid7 pointed out at the time that Adobe’s patch for CVE-2023-29298 was incomplete and easy to bypass.
On Wednesday, July 19, Adobe announced another ColdFusion update to patch three new CVEs. One of them, CVE-2023-38205, is the bypass for CVE-2023-29298.
The software giant warned in its advisory that CVE-2023-38205 has been “exploited in the wild in limited attacks”.
While ‘limited attacks’ could suggest exploitation by state-sponsored threat actors in highly targeted operations, ColdFusion vulnerabilities have also been known to be exploited by profit-driven cybercrime groups.
Adobe has yet to confirm that CVE-2023-38203 has also been exploited in the wild.
CVE-2023-38203 was reported to Adobe by two parties, including researchers at open source security firm ProjectDiscovery.
On July 12, ProjectDiscovery made public what they believed to be an analysis of CVE-2023-29300, another ColdFusion vulnerability that could lead to remote code execution. However, their analysis inadvertently also disclosed CVE-2023-38203, which at the time had yet to be patched — Adobe released patches on July 14.
ProjectDiscovery quickly pulled its blog post after being notified by Adobe and on July 19 it re-published the post with clarifications. The company found that Adobe’s patch for CVE-2023-38203 was incomplete and one of Adobe’s latest ColdFusion fixes, for CVE-2023-38204, actually addresses that patch bypass.
Adobe on Wednesday also released a patch for CVE-2023-38206, a ColdFusion vulnerability discovered by researcher Brian Reilly, who was recently also credited by Adobe for another ColdFusion flaw tracked as CVE-2023-29301. The timing suggests that CVE-2023-38206 may have been assigned after the patch for CVE-2023-29301 was bypassed. SecurityWeek has reached out to Reilly for confirmation and will update this article if he responds.
UPDATE: Reilly told SecurityWeek that CVE-2023-38206 is unrelated to CVE-2023-29301.
Related: Patch Tuesday: Critical Flaws in Adobe Commerce Software
Related: Adobe Patches 14 Vulnerabilities in Substance 3D Painter
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
