CVE-2023-29298
Published: 12 July 2023
Summary
CVE-2023-29298 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
Adobe ColdFusion versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier contain an Improper Access Control vulnerability, tracked as CVE-2023-29298 and assigned CWE-284. The flaw permits a security feature bypass that exposes the administration CFM and CFC endpoints, carrying a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can directly request the affected endpoints to obtain unauthorized access to administrative functionality and sensitive configuration data. Because the vulnerability resides in access-control enforcement rather than authentication logic, exploitation succeeds without credentials or user assistance.
Adobe’s security bulletin APSB23-40 details the affected builds and corresponding updates that restore proper endpoint protections. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild use. The associated EPSS score remains elevated, with a current value of 0.9429 and a recorded peak of 0.9718.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32873
Vulnerability details
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM…
more
and CFC endpoints. Exploitation of this issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 20 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the administrative CFM/CFC endpoints that the CVE allows an unauthenticated attacker to bypass.
Requires that administrative functionality be restricted to the minimum set of privileged accounts, preventing the broad unauthenticated access described in the CVE.
Mandates identification and authentication before granting access to system resources, directly countering the no-authentication bypass in CVE-2023-29298.