Adobe has released a second round of patches for some recently disclosed ColdFusion vulnerabilities, including flaws that appear to have been exploited in attacks.
On July 11, Adobe announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass. On July 14, the company informed customers about fixes for CVE-2023-38203, a deserialization issue that could lead to arbitrary code execution.
A few days later, cybersecurity firm Rapid7 reported seeing attacks aimed at ColdFusion users. The company’s analysis showed that the attackers had exploited CVE-2023-29298 and chained it with what appeared to be CVE-2023-38203.
Rapid7 pointed out at the time that Adobe’s patch for CVE-2023-29298 was incomplete and easy to bypass.
The software giant warned in its advisory that CVE-2023-38205 has been “exploited in the wild in limited attacks”.
While ‘limited attacks’ could suggest exploitation by state-sponsored threat actors in highly targeted operations, ColdFusion vulnerabilities have also been known to be exploited by profit-driven cybercrime groups.
Adobe has yet to confirm that CVE-2023-38203 has also been exploited in the wild.
CVE-2023-38203 was reported to Adobe by two parties, including researchers at open source security firm ProjectDiscovery.
On July 12, ProjectDiscovery made public what they believed to be an analysis of CVE-2023-29300, another ColdFusion vulnerability that could lead to remote code execution. However, their analysis inadvertently also disclosed CVE-2023-38203, which at the time had yet to be patched — Adobe released patches on July 14.
ProjectDiscovery quickly pulled its blog post after being notified by Adobe and on July 19 it re-published the post with clarifications. The company found that Adobe’s patch for CVE-2023-38203 was incomplete and one of Adobe’s latest ColdFusion fixes, for CVE-2023-38204, actually addresses that patch bypass.
Adobe on Wednesday also released a patch for CVE-2023-38206, a ColdFusion vulnerability discovered by researcher Brian Reilly, who was recently also credited by Adobe for another ColdFusion flaw tracked as CVE-2023-29301. The timing suggests that CVE-2023-38206 may have been assigned after the patch for CVE-2023-29301 was bypassed. SecurityWeek has reached out to Reilly for confirmation and will update this article if he responds.
UPDATE: Reilly told SecurityWeek that CVE-2023-38206 is unrelated to CVE-2023-29301.