Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild.
The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions:
- ColdFusion 2023 (Update 2 and earlier versions)
- ColdFusion 2021 (Update 8 and earlier versions), and
- ColdFusion 2018 (Update 18 and earlier versions)
“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company said.
The update also addresses two other flaws, including a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass (CVE-2023-38206, CVSS score: 5.3).
images from Hacker News