Adobe ColdFusion Vulnerability Could Lead to Arbitrary Code Execution
CVE-2023-38203
Key Information:
- Vendor
- Adobe
- Status
- Vendor
- CVE Published:
- 20 July 2023
Badges
Summary
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ColdFusion 0
News Articles
Help Net SecurityAdobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203) - Help Net Security
Attackers are exploiting 2 Adobe ColdFusion flaws (CVE-2023-29298, CVE-2023-38203) to breach servers and install web shells.
1 year ago
Ars TechnicaExploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns
The exploited code-execution flaws are the kind coveted by ransomware and nation-state hackers.
1 year ago
Multiple Adobe ColdFusion flaws exploited in the wild | TechTarget
Multiple flaws in popular application server Adobe ColdFusion were exploited in the wild, including a zero-day that a vendor inadvertently published.
1 year ago
References
EPSS Score
32% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π¦
CISA Reported
Vulnerability published
- π°
Used in Ransomware
- πΎ
Exploit known to exist
- π°
First article discovered by SecurityWeek
Vulnerability Reserved