Adobe has issued an out-of-cycle software patch for its ColdFusion software after security researchers found a previous patch was incomplete, and being exploited in the wild.
The story began with a Rapid7 disclosure that included CVE-2023-29298, an access control bug that gave attackers administration access to the ColdFusion Markup (CFM) and ColdFusion Component (CFC) endpoints.
Today’s patches fix access control flaws: CVE-2023-38204 is rated 9.8 on the CVSS but hasn’t been exploited, CVE-2023-38205 rates at 7.8 and has been exploited, and CVE-2023-38206, which is rated 5.3.
“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the Adobe advisory stated.
CVE-2023-38205, Rapid7 said, was needed because a fix published earlier this month was incomplete: “Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion,” the company said.
“Adobe released a fix for the patch bypass of CVE-2023-29298 on July 19 and assigned it CVE-2023-38205.
“Rapid7 has confirmed the new patch works.”
Rapid7’s post identifies three IP addresses and two domains that are indicators of compromise.