Skip to the content.

DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205

Our reference DIVD-2023-00032
Case lead Finn van der Knaap
Researcher(s)
CVE(s)
Product Adobe coldfusion
Versions
  • ColdFusion 2023 <= update 2
  • ColdFusion 2021 <= update 8
  • ColdFusion 2018 <= update 18
Recommendation Update to the latest version
Status Open
Last modified 09 Aug 2023 11:23

Summary

Adobe’s ColdFusion, a web application framework based on CFML, is currently facing multiple security vulnerabilities. These issues range from authentication bypasses, enabling unauthorized access, to the more concerning unauthenticated remote code execution, allowing attackers to take full control without valid credentials. With this case we are scanning for the actively exploited access control bypass (CVE-2023-38205 and CVE-2023-29298). These vulnerabilities combined with antoher vulnerability, leads to an RCE. It is advised to update as soon as possible.

What you can do

What we are doing

Timeline

Date Description
14 Jul 2023 Started research
05 Aug 2023-
08 Aug 2023
publishing casefile
gantt title DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205 (still open) :2023-07-14, 2024-03-04 section Events Started research : milestone, 2023-07-14, 0d publishing casefile (3 days) : 2023-08-05, 2023-08-08

More information