CVE-2023-38693

Summary

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.

Affected Software

VendorProductVersion RangeStatus
luceeLucee>= 5.4.0.0, < 5.4.3.2affected
luceeLucee>= 5.3.12.0, < 5.3.12.1affected
luceeLucee< 5.3.7.59affected
luceeLucee>= 5.3.8.0, < 5.3.8.236affected
luceeLucee>= 5.3.9.0, < 5.3.9.173affected

Weaknesses

  • CWE-611: CWE-611: Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References