CVE-2023-38693
RCE in Lucee REST endpoint
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-07-24 CVE Reserved
- 2025-03-05 CVE Published
- 2025-03-06 CVE Updated
- 2025-08-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lucee Search vendor "Lucee" | Lucee Search vendor "Lucee" for product "Lucee" | >= 5.4.0.0 < 5.4.3.2 Search vendor "Lucee" for product "Lucee" and version " >= 5.4.0.0 < 5.4.3.2" | en |
Affected
| ||||||
| Lucee Search vendor "Lucee" | Lucee Search vendor "Lucee" for product "Lucee" | >= 5.3.12.0 < 5.3.12.1 Search vendor "Lucee" for product "Lucee" and version " >= 5.3.12.0 < 5.3.12.1" | en |
Affected
| ||||||
| Lucee Search vendor "Lucee" | Lucee Search vendor "Lucee" for product "Lucee" | < 5.3.7.59 Search vendor "Lucee" for product "Lucee" and version " < 5.3.7.59" | en |
Affected
| ||||||
| Lucee Search vendor "Lucee" | Lucee Search vendor "Lucee" for product "Lucee" | >= 5.3.8.0 < 5.3.8.236 Search vendor "Lucee" for product "Lucee" and version " >= 5.3.8.0 < 5.3.8.236" | en |
Affected
| ||||||
| Lucee Search vendor "Lucee" | Lucee Search vendor "Lucee" for product "Lucee" | >= 5.3.9.0 < 5.3.9.173 Search vendor "Lucee" for product "Lucee" and version " >= 5.3.9.0 < 5.3.9.173" | en |
Affected
| ||||||