Search
On this page ▾
CVE-2023-29298 — Adobe ColdFusion Improper Access Control Vulnerability

CVE-2023-29298

Adobe ColdFusion — URL Filter Bypass Allowing Unauthenticated Admin Panel Access; Patch Later Bypassed by CVE-2023-38205
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial application server and scripting platform for building web applications. Deployed widely in enterprise and government environments, ColdFusion servers typically have broad database access and run web-facing applications. The ColdFusion Administrator — a web management console — provides server configuration, data source management, and administrative controls. Unauthenticated access to the Administrator is equivalent to full control over the ColdFusion server and any data sources it accesses.

Overview

CVE-2023-29298 is an improper access control vulnerability in Adobe ColdFusion that allows an unauthenticated remote attacker to bypass the URL filtering that protects the ColdFusion Administrator interface. By prepending a specific path prefix to administrator URLs, an attacker can reach restricted endpoints without credentials. Adobe patched it in APSB23-40 (July 11, 2023), but the fix was bypassed within a day — leading to the related CVE-2023-38205 (APSB23-47, July 20). Both CVEs were added to the CISA KEV catalog on July 20, 2023.

Note: Organizations that only applied APSB23-40 remain vulnerable to the bypass via CVE-2023-38205 — APSB23-47 is required for complete remediation.

Affected Versions

Product Affected Fixed by APSB23-40
ColdFusion 2023 Update 1 and earlier Update 2
ColdFusion 2021 Update 7 and earlier Update 8
ColdFusion 2018 Update 17 and earlier Update 18

See CVE-2023-38205 for the subsequent patch bypass fix in APSB23-47.

Technical Details

The vulnerability (CWE-284 — improper access control) exists in ColdFusion's URL-based access control mechanism that guards administrator endpoints. ColdFusion filters incoming URLs to block direct access to /CFIDE/administrator/ and related paths when accessed without authentication. CVE-2023-29298 exploits a gap in this filtering: by prepending a path component (e.g., /mappings/../CFIDE/administrator/) to the URL, the request bypasses the filter while still routing to the protected endpoint through ColdFusion's internal URL resolution.

This technique is a classic path traversal / filter bypass: the URL matches neither the blocked pattern nor a legitimately public endpoint from the filter's perspective, but the server's URL router resolves it to the protected location.

With unauthenticated Administrator access, an attacker can:

  • Read server-side configuration including database credentials
  • Deploy CFM web shells for persistent code execution
  • Execute server-side code using ColdFusion's built-in functionality
  • Enumerate internal network resources via ColdFusion's data source connections

Discovery

The vulnerability and the bypass of its patch were identified by security researchers who analyzed APSB23-40's patch and discovered that URL normalization after the fix could still be exploited with modified path patterns, leading directly to CVE-2023-38205.

Exploitation Context

ColdFusion vulnerabilities have historically been attractive targets for threat actors seeking initial access to enterprise environments. Adobe's July 2023 ColdFusion advisory cycle — CVE-2023-29298 patched, then bypassed, then re-patched within nine days — reflects both the severity of the underlying access control weakness and the active exploitation pressure from threat actors who rapidly test new patches for bypasses.

Active exploitation was confirmed, leading to CISA's same-day KEV addition alongside the second patch.

Remediation

  1. Apply APSB23-47 (not just APSB23-40) — Update ColdFusion 2023 to Update 3, ColdFusion 2021 to Update 9, ColdFusion 2018 to Update 19. Applying only the initial patch leaves you vulnerable to the bypass.
  2. Restrict Administrator access to trusted IPs — use firewall rules or ColdFusion's own IP restriction settings to limit admin interface access to management hosts only.
  3. Apply Adobe's ColdFusion Lockdown Guide settings — significantly reduces the attack surface by disabling unnecessary features and locking down file system access.
  4. Audit deployed CFM files for unauthorized web shells — look for recently created or modified files in web-accessible directories.
  5. Rotate database and data source credentials if you cannot confirm that no exploitation occurred between the vulnerability's availability and patching.

Key Details

PropertyValue
CVE ID CVE-2023-29298
Vendor / Product Adobe — ColdFusion
NVD Published2023-07-12
NVD Last Modified2025-10-23
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SeverityHIGH
CWE CWE-284 find similar ↗
CISA KEV Added2023-07-20
CISA KEV Deadline2023-08-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2023-08-10. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2023-07-11Adobe releases APSB23-40, patching CVE-2023-29298 and other ColdFusion vulnerabilities
2023-07-12Researchers identify that the APSB23-40 patch for CVE-2023-29298 can be bypassed (leads to CVE-2023-38205)
2023-07-20Adobe releases APSB23-47, fixing the patch bypass (CVE-2023-38205); both CVEs added to CISA KEV on same day
2023-08-10CISA BOD 22-01 remediation deadline

References

ResourceType
Adobe Security Bulletin APSB23-40 Vendor Advisory
Adobe Security Bulletin APSB23-47 (patch bypass fix — CVE-2023-38205) Vendor Advisory
NVD — CVE-2023-29298 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-22

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML