CVE-2024-55354

April 10, 2025, 12:15 a.m.

8.8
High

Description

Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be expected to be blocked and access resources that would be expected to be protected.

Product(s) Impacted

Product Versions
lucee
  • <5.4.7.3
lucee
  • <6.1.1.118

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-807
Reliance on Untrusted Inputs in a Security Decision
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

References

https://dev.lucee.org/t/lucee-cve-2024-55354-security-advisory-april-2025/14963

Tags

cve@mitre.org
CWE-807
2025-04-08
CVE-2024-55354

CVSS Score

8.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: April 8, 2025, 10:15 p.m.
Last Modified: April 10, 2025, 12:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.