ghsa-vwjx-mmwm-pwrf
Vulnerability from github
Published
2025-03-05 18:31
Modified
2025-03-05 19:30
Severity ?
VLAI Severity ?
Summary
Lucee RCE/XXE Vulnerability
Details
Impact
The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.
After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.
Patches
Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening
The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched
Any users running older release, should plan to immediately upgrade to the latest stable release
6.0 will have a RC as it's not yet released
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.10.79-RC"
},
{
"fixed": "5.3.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0.65-RC"
},
{
"fixed": "5.4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.3.7.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.8.132-RC"
},
{
"fixed": "5.3.8.236"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.9.113"
},
{
"fixed": "5.3.9.173"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38693"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T18:31:03Z",
"nvd_published_at": "2025-03-05T16:15:37Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.\n\nAfter reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.\n\n### Patches\n\nLucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening\n\nThe older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched\n\nAny users running older release, should plan to immediately upgrade to the latest stable release\n\n6.0 will have a RC as it\u0027s not yet released",
"id": "GHSA-vwjx-mmwm-pwrf",
"modified": "2025-03-05T19:30:32Z",
"published": "2025-03-05T18:31:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38693"
},
{
"type": "PACKAGE",
"url": "https://github.com/lucee/Lucee"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Lucee RCE/XXE Vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…