Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2023-29298

Disclosure Date: July 12, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

As per the Rapid7 advisory, this vulnerability allows an attacker to bypass an access control feature designed to permit access to the ColdFusion Administrator endpoints on a ColdFusion web server based on the requesting IP address. When a request originates from an external IP address that is not present in the access controls allow list, access to the requested resource is blocked. At attacker can construct a URL whose path contains an unexpected forward slash, such as //CFIDE/wizards/common/utils.cfc and the resource can be accessed regardless of the requests IP address.

This vulnerability is particularly useful to an attacker as it can be chained with existing RCE vulnerabilities that require targeting CFC of CFRM endpoints ion the ColdFusion administrator, such as CVE-2023-26360 or CVE-2023-38203.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • adobe

Products

  • coldfusion,
  • coldfusion 2018,
  • coldfusion 2021

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis