Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-29298

Disclosure Date: July 12, 2023 •

CVE-2023-29298 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by sfewer-r7 and 2 more...
View Source Details

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Add Assessment

sfewer-r7 (120)

July 20, 2023 4:06pm UTC (1 year ago)

Ratings

Attacker Value

Medium

Exploitability

Very High

Unauthenticated Vulnerable in default configuration

Technical Analysis

As per the Rapid7 advisory, this vulnerability allows an attacker to bypass an access control feature designed to permit access to the ColdFusion Administrator endpoints on a ColdFusion web server based on the requesting IP address. When a request originates from an external IP address that is not present in the access controls allow list, access to the requested resource is blocked. At attacker can construct a URL whose path contains an unexpected forward slash, such as //CFIDE/wizards/common/utils.cfc and the resource can be accessed regardless of the requests IP address.

This vulnerability is particularly useful to an attacker as it can be chained with existing RCE vulnerabilities that require targeting CFC of CFRM endpoints ion the ColdFusion administrator, such as CVE-2023-26360 or CVE-2023-38203.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

adobe

Products

coldfusion,
coldfusion 2018,
coldfusion 2021

Exploited in the Wild

Reported by:

sfewer-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: July 20, 2023 3:57pm UTC (1 year ago)

mkienow-r7 indicated sources as

Vendor Advisory (https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/07/20/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: July 20, 2023 5:09pm UTC (1 year ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2023/07/20/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:33am UTC (2 weeks ago)

References

Canonical

CVE-2023-29298 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29298)

Miscellaneous

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/

Rapid7

Moderate

CVE-2023-29298

Moderate

Very High

None

None

Network

CVE-2023-29298

Description