CVE-2023-29300

Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-502

In short

Adobe ColdFusion has a flaw that allows attackers to run malicious code on servers by sending specially crafted data. This happens without needing to trick users and puts all affected servers at serious risk.

Technical detail

CVE-2023-29300 exploits unsafe deserialization of untrusted data in Adobe ColdFusion, enabling remote code execution without user interaction. The vulnerability affects versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier; attackers can craft malicious serialized objects to achieve arbitrary code execution on the target system.

Summary generated and translated by AI from the official description.

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Adobe · ColdFusion

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29300