{
  "schema_version": "1.4.0",
  "id": "GHSA-vwjx-mmwm-pwrf",
  "modified": "2025-03-05T19:30:32Z",
  "published": "2025-03-05T18:31:03Z",
  "aliases": [
    "CVE-2023-38693"
  ],
  "summary": "Lucee RCE/XXE Vulnerability",
  "details": "### Impact\n\nThe Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.\n\nAfter reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.\n\n### Patches\n\nLucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening\n\nThe older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched\n\nAny users running older release, should plan to immediately upgrade to the latest stable release\n\n6.0 will have a RC as it's not yet released",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.3.10.79-RC"
            },
            {
              "fixed": "5.3.12.1"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.4.0.65-RC"
            },
            {
              "fixed": "5.4.3.2"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.3.7.59"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.3.8.132-RC"
            },
            {
              "fixed": "5.3.8.236"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.lucee:lucee"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.3.9.113"
            },
            {
              "fixed": "5.3.9.173"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38693"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lucee/Lucee"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T18:31:03Z",
    "nvd_published_at": "2025-03-05T16:15:37Z"
  }
}