GHSA-VWJX-MMWM-PWRF

Vulnerability from github – Published: 2025-03-05 18:31 – Updated: 2025-03-05 19:30
VLAI?
Summary
Lucee RCE/XXE Vulnerability
Details

Impact

The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.

After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.

Patches

Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening

The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched

Any users running older release, should plan to immediately upgrade to the latest stable release

6.0 will have a RC as it's not yet released

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.10.79-RC"
            },
            {
              "fixed": "5.3.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.0.65-RC"
            },
            {
              "fixed": "5.4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.3.7.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.8.132-RC"
            },
            {
              "fixed": "5.3.8.236"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.9.113"
            },
            {
              "fixed": "5.3.9.173"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T18:31:03Z",
    "nvd_published_at": "2025-03-05T16:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.\n\nAfter reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.\n\n### Patches\n\nLucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening\n\nThe older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched\n\nAny users running older release, should plan to immediately upgrade to the latest stable release\n\n6.0 will have a RC as it\u0027s not yet released",
  "id": "GHSA-vwjx-mmwm-pwrf",
  "modified": "2025-03-05T19:30:32Z",
  "published": "2025-03-05T18:31:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38693"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lucee/Lucee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lucee RCE/XXE Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.