DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205
| Our reference | DIVD-2023-00032 |
| Case lead | Finn van der Knaap |
| Researcher(s) | |
| CVE(s) | |
| Product | Adobe coldfusion |
| Versions |
|
| Recommendation | Update to the latest version |
| Status | Open |
| Last modified | 09 Aug 2023 11:23 |
Summary
Adobe’s ColdFusion, a web application framework based on CFML, is currently facing multiple security vulnerabilities. These issues range from authentication bypasses, enabling unauthorized access, to the more concerning unauthenticated remote code execution, allowing attackers to take full control without valid credentials. With this case we are scanning for the actively exploited access control bypass (CVE-2023-38205 and CVE-2023-29298). These vulnerabilities combined with antoher vulnerability, leads to an RCE. It is advised to update as soon as possible.
What you can do
- Update to the latest version.
What we are doing
- DIVD is currently identifying all the vulnerable Adobe Coldfusion servers.
Timeline
| Date | Description |
|---|---|
| 14 Jul 2023 | Started research |
|
05 Aug 2023- 08 Aug 2023 |
publishing casefile |
gantt
title DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205 (still open) :2023-07-14, 2024-05-02
section Events
Started research : milestone, 2023-07-14, 0d
publishing casefile (3 days) : 2023-08-05, 2023-08-08
More information
- Adobe Bulletin of CVE-2023-38205
- Adobe Bulletin of CVE-2023-29298
- Bleepingcomputer article
- NIST “CVE-2023-29298 Detail”
- Rapid7 CVE-2023-29298 Detail”
- Projectdiscovery blog
- NIST “CVE-2023-38205 Detail”