The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies. The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.

Source: GBHackers