Adobe released an emergency security patch for ColdFusion, addressing a critical zero-day vulnerability. The tech giant warned users of active exploitation of the flaw, urging users to update their systems as soon as possible.
Active Exploitation Detected For Adobe ColdFusion Zero-Day
Adobe’s recent security bulletin highlights addressing a critical-severity zero-day flaw affecting Adobe ColdFusion. ColdFusion is Adobe’s proprietary software development platform facilitating rapid web application development. The platform includes an integrated IDE and full scripting language.
It helps develop diversified applications from data-driven sites to remote services such as WebSockets, REST services, SOAP web services, etc. According to Adobe’s advisory, the service has addressed three vulnerabilities in the tool. One of these, CVE-2023-38205, is a critical-severity flaw with a CVSS score of 7.5.
Adobe confirmed this vulnerability as a zero-day, detecting its active exploitation in “limited attacks.” The firm has not shared details about this vulnerability besides listing it as a security feature bypass due to improper access control.
However, researchers from Rapid7 reported the matter in detail when they noticed active exploitation attempts chaining the previously patched vulnerabilities CVE-2023-29298 (discovered by Rapid7) and CVE-2023-38203 (discovered by ProjectDiscovery).
The researchers observed that the patch for CVE-2023-29298 didn’t completely fix the issue, leaving space for adversaries to exploit the flaw. Following this discovery, Rapid7 swiftly reported the matter to Adobe, which then included the patch for CVE-2023-29298 with CVE-2023-38205.
The other two vulnerabilities fixed with the latest ColdFusion release include a critical code execution vulnerability due to the deserialization of untrusted data, CVE-2023-38204 (CVSS 9.8), and a moderate severity security feature bypass, CVE-2023-38206 (CVSS 5.3).
Adobe listed the following software versions as vulnerable to the flaws.
- ColdFusion 2023 (Update 2 and earlier)
- ColdFusion 2021 (Update 8 and earlier)
- ColdFusion 2018 (Update 18 and earlier)
Whereas the firm patched the issues with ColdFusion 2023 (Update 3), ColdFusion 2021 (Update 9), and ColdFusion 2018 (Update 19). Users must update their systems to these versions to receive the patches accordingly.
Attribution link