DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205

Our reference DIVD-2023-00032
Case lead Finn van der Knaap
Researcher(s)
CVE(s)
Product Adobe coldfusion
Versions
  • ColdFusion 2023 <= update 2
  • ColdFusion 2021 <= update 8
  • ColdFusion 2018 <= update 18
Recommendation Update to the latest version
Status Closed
Last modified 04 May 2024 19:46 CEST

Summary

Adobe’s ColdFusion, a web application framework based on CFML, is currently facing multiple security vulnerabilities. These issues range from authentication bypasses, enabling unauthorized access, to the more concerning unauthenticated remote code execution, allowing attackers to take full control without valid credentials. With this case we are scanning for the actively exploited access control bypass (CVE-2023-38205 and CVE-2023-29298). These vulnerabilities combined with antoher vulnerability, leads to an RCE. It is advised to update as soon as possible.

What you can do

What we are doing

Timeline

Date Description
14 Jul 2023-
11 Aug 2023		 Started research
05 Aug 2023-
08 Aug 2023		 publishing casefile
11 Aug 2023-
11 Aug 2023		 Started scanning for vulnerable instances
11 Aug 2023 Mails sent
11 Aug 2023 Case closed
gantt title DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205 (28 days) :2023-07-14, 2023-08-11 section Events Started research (28 days) : 2023-07-14, 2023-08-11 publishing casefile (3 days) : 2023-08-05, 2023-08-08 Started scanning for vulnerable instances (0 days) : 2023-08-11, 2023-08-11 Mails sent : milestone, 2023-08-11, 0d Case closed : milestone, 2023-08-11, 0d

More information