Описание
Lucee RCE/XXE Vulnerability
Impact
The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.
After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.
Patches
Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening
The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched
Any users running older release, should plan to immediately upgrade to the latest stable release
6.0 will have a RC as it's not yet released
Пакеты
org.lucee:lucee
>= 5.3.10.79-RC, < 5.3.12.1
5.3.12.1
org.lucee:lucee
>= 5.4.0.65-RC, < 5.4.3.2
5.4.3.2
org.lucee:lucee
<= 5.3.7.59
Отсутствует
org.lucee:lucee
>= 5.3.8.132-RC, < 5.3.8.236
5.3.8.236
org.lucee:lucee
>= 5.3.9.113, < 5.3.9.173
5.3.9.173
Связанные уязвимости
Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.