Adobe releases emergency patch for ColdFusion vulnerability
Three ColdFusion vulnerabilities addressed by Adobe, including a zero-day
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Adobehas released a patch to fix three vulnerabilities found in its ColdFusion commercial rapid web-application development computing platform. Of the three vulnerabilities, one is a zero-day, while another one was being actively exploited in the wild.
As per a report onBleepingComputer, the three vulnerabilities in question are tracked as CVE-2023-38204 (critical RCE with a 9.8 severity score), CVE-2023-38205 (critical Improper Access Control flaw with a 7.8 severity score) and CEV-2023-38206 (moderate Improper Access Control with a 5.3 severity score).
Despite CVE-2023-38204 being critical, that’s not the one being used by hackers. It’s CVE-2023-38205, the critical Improper Access Control Flaw that Adobe saw being leveraged by threat actors.
Addressing a bypass
“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company said in a security advisory.
The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298,BleepingComputerfurther explained. This is a ColdFusion authentication bypass that was discovered by Rapid7 some two weeks ago.
Patch Adobe Reader now or risk a major security attack>Adobe scrambled to deliver urgent patches for bugs in Photoshop, Bridge, Prelude>Here’s our rundown of the best malware removal right now
In mid-July, cybersecurity researchers from Rapid7 saw threat actors using multiple vulnerabilities to install webshells on ColdFusion servers. These webshells gave them remote access to vulnerableendpoints. While Adobe was quick to release a patch, Rapid7 said it could be worked around:
“Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14),” the researchers said.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We have notified Adobe that their patch is incomplete.”
Now, Adobe confirmed to the media that it included a fix for CVE-2023-29298 in its latest patch.
Given the fact that the company observed the flaw being used by hackers, users are strongly advised to patch their endpoints immediately.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
A new form of macOS malware is being used by devious North Korean hackers
This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet
