CVE-2023-38693

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-38693

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38693.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-38693

Aliases

GHSA-vwjx-mmwm-pwrf

Published

2025-03-05T15:37:55.847Z

Modified

2026-04-10T04:59:09.705344Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RCE in Lucee REST endpoint

Details

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.

Database specific

{
    "cwe_ids": [
        "CWE-611"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38693.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/lucee/lucee

Affected ranges

Type

GIT

Repo

https://github.com/lucee/lucee

Events

Introduced

31d7346e5b7e514cf500ff9b24cacfa77c0d19b4

Fixed

d61ab2765d58a9066c20adcf681ed49133356262

Database specific

{
    "versions": [
        {
            "introduced": "5.4.0.0"
        },
        {
            "fixed": "5.4.3.2"
        }
    ]
}

Affected versions

5.*

5.4.0.0

5.4.0.1

5.4.0.10

5.4.0.11

5.4.0.13

5.4.0.14

5.4.0.15

5.4.0.16

5.4.0.17

5.4.0.18

5.4.0.19

5.4.0.2

5.4.0.20

5.4.0.21

5.4.0.22

5.4.0.25

5.4.0.26

5.4.0.27

5.4.0.28

5.4.0.29

5.4.0.3

5.4.0.30

5.4.0.31

5.4.0.32

5.4.0.33

5.4.0.34

5.4.0.35

5.4.0.36

5.4.0.37

5.4.0.39

5.4.0.4

5.4.0.40

5.4.0.42

5.4.0.46

5.4.0.47

5.4.0.48

5.4.0.5

5.4.0.59

5.4.0.6

5.4.0.60

5.4.0.61

5.4.0.62

5.4.0.63

5.4.0.64

5.4.0.65

5.4.0.66

5.4.0.67

5.4.0.68

5.4.0.7

5.4.0.71

5.4.0.72

5.4.0.73

5.4.0.74

5.4.0.75

5.4.0.76

5.4.0.77

5.4.0.78

5.4.0.79

5.4.0.8

5.4.0.80

5.4.0.81

5.4.0.9

5.4.1.00

5.4.1.1

5.4.1.6

5.4.1.7

5.4.1.8

5.4.2.0

5.4.2.1

5.4.2.10

5.4.2.11

5.4.2.12

5.4.2.13

5.4.2.14

5.4.2.15

5.4.2.16

5.4.2.17

5.4.2.18

5.4.2.19

5.4.2.2

5.4.2.20

5.4.2.3

5.4.2.4

5.4.2.5

5.4.2.6

5.4.2.7

5.4.2.8

5.4.2.9

5.4.3.0

5.4.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38693.json"