CVE-2023-38693
Lucee RCE/XXE Vulnerability
Description
### Impact The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee. After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update. ### Patches Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched Any users running older release, should plan to immediately upgrade to the latest stable release 6.0 will have a RC as it's not yet released
How to fix CVE-2023-38693
To remediate CVE-2023-38693, upgrade the affected package to a fixed version below.
- —upgrade to 5.3.12.1 or later
Is CVE-2023-38693 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.3.10.79-RC, < 5.3.12.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |