ColdFusion Access Control bypass (CVE-2023-29298/CVE-2023-38205)
Description
Adobe ColdFusion versions 2018, 2021, and 2023 contain an access control vulnerability that allows unauthenticated attackers to bypass authentication and directly access restricted administrative CFM (ColdFusion Markup) and CFC (ColdFusion Component) endpoints. This bypass enables unauthorized users to interact with administrative functions that should only be accessible to authenticated administrators.
Remediation
Immediately upgrade Adobe ColdFusion to a patched version as specified in APSB23-47:
• ColdFusion 2023: Update to Update 2 or later
• ColdFusion 2021: Update to Update 8 or later
• ColdFusion 2018: Update to Update 18 or later
Note that earlier update versions (2023 Update 1, 2021 Update 7, and 2018 Update 17) remain vulnerable to CVE-2023-38205 and should not be considered secure. After patching, review access logs for any suspicious administrative endpoint access from unauthenticated sources and verify that no unauthorized changes were made to the system.