Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild.
The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions:
- ColdFusion 2023 (Update 2 and earlier versions)
- ColdFusion 2021 (Update 8 and earlier versions), and
- ColdFusion 2018 (Update 18 and earlier versions)
"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company said.
The update also addresses two other flaws, including a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass (CVE-2023-38206, CVSS score: 5.3).
The disclosure arrives days after Rapid7 warned that the fix put in place for CVE-2023-29298 was incomplete and that it could be trivially sidestepped by malicious actors. The cybersecurity firm has confirmed that the new patch completely plugs the security hole.
CVE-2023-29298, an access control bypass vulnerability, has been weaponized in real-world attacks by chaining it with another flaw that's suspected to be CVE-2023-38203 to drop web shells on compromised systems for backdoor access.
Adobe ColdFusion users are highly recommended to update their installations to the latest version to mitigate potential threats.
