⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2024-01-29.

CVE-2023-38203Deserialization of Untrusted Data in Adobe Coldfusion

CWE-502Deserialization of Untrusted Data8 documents8 sources
Severity
9.8CRITICALNVD
EPSS
94.2%
top 0.07%
CISA KEV
KEVRansomware
Added 2024-01-08
Due 2024-01-29
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Adobe Coldfusion
Timeline
PublishedJul 20
KEV addedJan 8
KEV dueJan 29
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5adobe/coldfusioncf2023U1+1
NVDadobe/coldfusion2018, 2021, 2023+2

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

3
CVEList
Analysis CVE-2023-29300 Bypass: Adobe ColdFusion Pre-Auth RCE2023-07-20
GHSA
GHSA-4vp5-7p37-q66w: Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vul2023-07-20
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability2023

💥Exploits & PoCs

1
Nuclei
Adobe ColdFusion - Deserialization of Untrusted Data

📋Vendor Advisories

1
CISA
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability2024-01-08
CVE-2023-38203 — Deserialization of Untrusted Data | cvebase