CVE-2023-38693

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Lucee Server (o simplemente Lucee) es un lenguaje de etiquetas y scripts dinámicos basados en Java que se utiliza para el desarrollo rápido de aplicaciones web. El endpoint REST de Lucee es vulnerable a RCE a través de un ataque XML XXE. Esta vulnerabilidad se ha corregido en Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236 y 5.3.9.173.

05 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-05 16:15

Updated : 2026-06-17 06:10

NVD link : CVE-2023-38693

Mitre link : CVE-2023-38693

CVE.ORG link : CVE-2023-38693

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-38693", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2023-38693", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T21:58:27.654139Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "lucee", "product": "Lucee", "versions": [{"status": "affected", "version": ">= 5.4.0.0, < 5.4.3.2"}, {"status": "affected", "version": ">= 5.3.12.0, < 5.3.12.1"}, {"status": "affected", "version": "< 5.3.7.59"}, {"status": "affected", "version": ">= 5.3.8.0, < 5.3.8.236"}, {"status": "affected", "version": ">= 5.3.9.0, < 5.3.9.173"}]}]}], "published": "2025-03-05T16:15:37.007", "references": [{"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173."}, {"lang": "es", "value": "Lucee Server (o simplemente Lucee) es un lenguaje de etiquetas y scripts din\u00e1micos basados en Java que se utiliza para el desarrollo r\u00e1pido de aplicaciones web. El endpoint REST de Lucee es vulnerable a RCE a trav\u00e9s de un ataque XML XXE. Esta vulnerabilidad se ha corregido en Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236 y 5.3.9.173."}], "lastModified": "2026-06-17T06:10:58.063", "sourceIdentifier": "security-advisories@github.com"}