CVE-2023-38205
Published: 14 September 2023
Summary
CVE-2023-38205 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier contain an improper access control vulnerability that permits a security feature bypass. The flaw affects the product's administrative CFM and CFC endpoints and carries a CVSS 3.1 base score of 7.5.
An unauthenticated attacker can exploit the issue over the network without user interaction to reach the administration endpoints, resulting in disclosure of sensitive information.
Adobe's security bulletin APSB23-47 addresses the flaw and directs administrators to apply the vendor-supplied updates for each affected ColdFusion branch. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities.
The associated EPSS score currently stands at 0.9431 with a recorded peak of 0.9587.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42025
Vulnerability details
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM…
more
and CFC endpoints. Exploitation of this issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 20 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies on ColdFusion administration CFM/CFC endpoints, blocking the unauthorized bypass described in CVE-2023-38205.
Restricts administrative functions to only the privileges required, limiting exposure of the affected endpoints to unauthenticated remote attackers.
Applies boundary protections to restrict network access to internal administrative interfaces, mitigating remote exploitation without authentication.