DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205
|Case lead||Finn van der Knaap|
|Recommendation||Update to the latest version|
|Last modified||09 Aug 2023 11:23|
Adobe’s ColdFusion, a web application framework based on CFML, is currently facing multiple security vulnerabilities. These issues range from authentication bypasses, enabling unauthorized access, to the more concerning unauthenticated remote code execution, allowing attackers to take full control without valid credentials. With this case we are scanning for the actively exploited access control bypass (CVE-2023-38205 and CVE-2023-29298). These vulnerabilities combined with antoher vulnerability, leads to an RCE. It is advised to update as soon as possible.
What you can do
- Update to the latest version.
What we are doing
- DIVD is currently identifying all the vulnerable Adobe Coldfusion servers.
|14 Jul 2023||Started research|
05 Aug 2023-
08 Aug 2023
- Adobe Bulletin of CVE-2023-38205
- Adobe Bulletin of CVE-2023-29298
- Bleepingcomputer article
- NIST “CVE-2023-29298 Detail”
- Rapid7 CVE-2023-29298 Detail”
- Projectdiscovery blog
- NIST “CVE-2023-38205 Detail”