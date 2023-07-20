Emergency patch for ColdFusion zero-day

By on
Emergency patch for ColdFusion zero-day

Earlier fix was incomplete.

Adobe has issued an out-of-cycle software patch for its ColdFusion software after security researchers found a previous patch was incomplete, and being exploited in the wild.

The story began with a Rapid7 disclosure that included CVE-2023-29298, an access control bug that gave attackers administration access to the ColdFusion Markup (CFM) and ColdFusion Component (CFC) endpoints.

Today’s patches fix access control flaws: CVE-2023-38204 is rated 9.8 on the CVSS but hasn’t been exploited, CVE-2023-38205 rates at 7.8 and has been exploited, and CVE-2023-38206, which is rated 5.3.

“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the Adobe advisory stated.

CVE-2023-38205, Rapid7 said, was needed because a fix published earlier this month was incomplete: “Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion," the company said.

“Adobe released a fix for the patch bypass of CVE-2023-29298 on July 19 and assigned it CVE-2023-38205.

"Rapid7 has confirmed the new patch works.”

Rapid7’s post identifies three IP addresses and two domains that are indicators of compromise.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
adobecoldfusionrapid7security

Sponsored Whitepapers

Operational Excellence Through System Modernisation
Operational Excellence Through System Modernisation
The Complete Cloud Security Buyer's Guide
The Complete Cloud Security Buyer's Guide
The Complete MDR Buyer's Guide
The Complete MDR Buyer's Guide
Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government

Events

Most Read Articles

Ventia customers require 'systems assurance' after cyber attack

Ventia customers require 'systems assurance' after cyber attack
Australian government to vet 5G, 6G security in new lab

Australian government to vet 5G, 6G security in new lab
Citrix zero-day vulnerability under attack

Citrix zero-day vulnerability under attack
Hackers accessed US gov Exchange Online email accounts

Hackers accessed US gov Exchange Online email accounts

Digital Nation

COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?