Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2023-26359

Disclosure Date: March 14, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Add Assessment

1
Ratings
Technical Analysis

After investigating a separate ColdFusion vulnerability CVE-2023-26360 and in conjunction with privately reported information regarding CVE-2023-26359, I can rate this vulnerability as easily exploited and vulnerable in a default configuration.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • adobe

Products

  • coldfusion 2018,
  • coldfusion 2021

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Note: The vulnerability initially analyzed as CVE-2023-26359 has been identified to be CVE-2023-26360. This change occurred after Adobe updated their advisory to re-classify CVE-2023-26360 from an Improper Access Control vulnerability to a Deserialization of Untrusted Data vulnerability. This change, in conjunction with privately reported information regarding CVE-2023-26359, let us reliably identify CVE-2023-26360. The AttackerKB Analysis for CVE-2023-26360 is now available here.