Critical Vulnerabilities in Adobe ColdFusion

Adobe has released security updates to address critical vulnerabilities (CVE-2023-38204 and CVE-2023-38205) in their ColdFusion product, an application server used for building and deploying web and mobile applications. CVE-2023-38204 has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10. There are also reports that CVE-2023-38205 is being actively exploited.

The critical vulnerabilities are:

CVE-2023-38204: Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code due to the deserialisation of untrusted data.

CVE-2023-38205: Successful exploitation of this improper access control vulnerability could allow an attacker to bypass the product feature that restricts external access to the ColdFusion Administrator.

The vulnerabilities affect the following products:

• ColdFusion 2023, Update 2 and earlier versions

• ColdFusion 2021, Update 8 and earlier versions

• ColdFusion 2018, Update 18 and earlier versions

Users and administrators of the affected products are advised to update to the latest versions immediately.

More information is available here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html