CVE-2023-38693
Published: 05 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2023-38693 is a remote code execution (RCE) vulnerability affecting the Lucee REST endpoint in Lucee Server, a dynamic, Java-based tag and scripting language used for rapid web application development. The flaw stems from an XML External Entity (XXE) attack vector, classified under CWE-611, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.
An unauthenticated attacker with network access can exploit this vulnerability by sending a specially crafted request to the Lucee REST endpoint, triggering the XXE processing and achieving arbitrary code execution on the server. No user interaction or privileges are required, enabling low-complexity remote exploitation that compromises confidentiality, integrity, and availability.
The official advisory on GitHub (GHSA-vwjx-mmwm-pwrf) confirms the issue is fixed in Lucee versions 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173, recommending immediate upgrades for affected installations to mitigate the risk.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
RCE via unauthenticated crafted request to public-facing REST endpoint enables T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary code execution.