CVE-2023-38693 – org.lucee:lucee

Package

Manager: maven
Name: org.lucee:lucee
Vulnerable Version: >=5.3.10.79-rc <5.3.12.1 || >=5.4.0.65-rc <5.4.3.2 || >=0 <=5.3.7.59 || >=5.3.8.132-rc <5.3.8.236 || >=5.3.9.113 <5.3.9.173

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00139 pctl0.34556

Details

Lucee RCE/XXE Vulnerability ### Impact The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee. After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update. ### Patches Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched Any users running older release, should plan to immediately upgrade to the latest stable release 6.0 will have a RC as it's not yet released

Metadata

Created: 2025-03-05T18:31:03Z
Modified: 2025-03-05T19:30:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vwjx-mmwm-pwrf/GHSA-vwjx-mmwm-pwrf.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-vwjx-mmwm-pwrf
Finding: F083
Auto approve: 1