CVE-2023-29298

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2018u16 (and earlier) Adobe ColdFusion versions 2021u6 (and earlier) Adobe ColdFusion versions 2023.0.0.330468 (and earlier)

Description The issue is related to an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints, such as "/api/v1/login" or "/users/{id}", by exploiting the username and password variables. Exploitation of this issue does not require user interaction. The vulnerability may allow a remote attacker to bypass existing security restrictions.

Recommendations For Adobe ColdFusion versions 2018u16 (and earlier), update to a version later than 2018u16 to resolve the issue. For Adobe ColdFusion versions 2021u6 (and earlier), update to a version later than 2021u6 to resolve the issue. For Adobe ColdFusion versions 2023.0.0.330468 (and earlier), update to a version later than 2023.0.0.330468 to resolve the issue. As a temporary workaround, consider restricting access to the administration CFM and CFC endpoints until a patch is available. Avoid using the username and password variables in the affected API endpoints until the issue is resolved.