⚠ Actively exploited

Added to CISA KEV on 2023-07-20. Federal agencies required to patch by 2023-08-10. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-29298 — Improper Access Control in Adobe Coldfusion

CWE-284 — Improper Access Control8 documents8 sources

Severity

7.5HIGHNVD

EPSS

94.3%

top 0.06%

CISA KEV

KEV

Added 2023-07-20

Due 2023-08-10

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Coldfusion

Timeline

PublishedJul 12

KEV addedJul 20

KEV dueAug 10

Latest updateDec 21

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5adobe/coldfusioncf2023U2+1

▶NVDadobe/coldfusion2018, 2021, 2023+2

🔴Vulnerability Details

CVEList

Adobe ColdFusion Improper Access Control Security feature bypass↗2023-07-12

▶

GHSA

GHSA-9fcc-rhq3-fh3c: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023↗2023-07-12

▶

VulnCheck

Adobe ColdFusion Improper Access Control Vulnerability↗2023

▶

💥Exploits & PoCs

Nuclei

Adobe ColdFusion - Access Control Bypass

▶

📋Vendor Advisories

CISA

Adobe ColdFusion Improper Access Control Vulnerability↗2023-07-20

▶

💬Community

HackerOne

Adobe ColdFusion Access Control Bypass - CVE-2023-38205↗2023-12-21

▶