Hi Team,
###Problem Statement:-
We are currently using Lucee 6.0.3.1 on a Windows Server 2022 IIS environment. During vulnerability assessment, we identified Jetty Vulnerability CVE-2026-2332 (QID: 5010911) in the following files:
D:\lucee\tomcat\lucee-server\bundles\net.sf.ehcache-2.10.9.2.jar!rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties
D:\lucee\tomcat\lucee-server\bundles\org.lucee.ehcache-2.10.9.2.jar!rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties
###Analysis Performed:-
We upgraded Lucee from 6.0.3.1 to 6.2.7.16 by replacing the lucee.jar downloaded from:
https://download.lucee.org/
The Lucee upgrade was successful, and application functionality was validated without any issues.
However, the impacted JAR files:
org.lucee.ehcache-2.10.9.2.jarnet.sf.ehcache-2.10.9.2.jarwere not updated under:D:\lucee\tomcat\lucee-server\bundles
Based on our analysis, these files appear to be dependencies of the
EHCache extension and are not included as part of the Lucee core upgrade.
We also attempted to update the EHCache extension by downloading and installing the latest available.lexpackage through the Lucee Administrator Extension Manager.
However, the latest version available for download appears to be the same as the version currently installed on our server (EHCache Extension 2.10.0.39), and no newer version is available.
Assistance Required from Lucee Team
Could you please review this vulnerability and advise on the following:
Has CVE-2026-2332 already been addressed in the current EHCache extension and is being reported incorrectly by vulnerability scanners?
Is there any updated EHCache extension version or patch release planned that addresses this vulnerability?
Is this a false positive resulting from embedded dependency metadata within the EHCache extension?
Are there any recommended remediation steps, workarounds, or mitigation actions that can be implemented from the Lucee side?
We would appreciate your guidance on the recommended approach for remediating or validating this vulnerability.
regards,
Manjunath.