www.rapid7.com
Critical Access Control Bypass in Adobe ColdFusion (CVE-2023-29298)
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Rapid7 disclosed an access control bypass vulnerability in Adobe ColdFusion, identified as CVE-2023-29298, which affects versions 2018u16, 2021u6, and 2023. The vulnerability allows attackers to access restricted administration endpoints by manipulating URL requests. This flaw undermines the security guarantees of ColdFusion's Secure Profile, exposing 437 CFM and 96 CFC files. Exploitation does not require user interaction, increasing the risk of unauthorized access to sensitive resources. Adobe has released patches in APSB23-40 to address this issue. The vulnerability was reported to Adobe on April 11, 2023, and was published on July 12, 2023. It was added to the CISA Known Exploited Vulnerabilities Catalog on July 20, 2023.
Key Points: • CVE-2023-29298 allows unauthorized access to ColdFusion admin endpoints. • Affected versions include Adobe ColdFusion 2018u16, 2021u6, and 2023. • Patches were released by Adobe to mitigate this critical vulnerability.