CVE-2023-38203
Analysis CVE-2023-29300 Bypass: Adobe ColdFusion Pre-Auth RCE
In short
Adobe ColdFusion has a critical flaw that allows attackers to run malicious code on vulnerable servers without any user interaction. This happens because the software unsafely processes untrusted data, giving attackers a direct path into the system.
Technical detail
ColdFusion 2018u17, 2021u7, and 2023u1 are vulnerable to unsafe deserialization (CWE-502) of untrusted data, enabling unauthenticated remote code execution. The vulnerability requires no user interaction and can be exploited through network-accessible ColdFusion instances to achieve arbitrary code execution with server privileges.
Summary generated and translated by AI from the official description.
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Adobe · ColdFusionWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →