Heads-up on Lucee vuln, publicized today, Feb 15

It’s kind of confusing because the blog post mentions several different vulnerabilities, some of which are in Lucee, some of which are in Mura CMS, and all of which seem to depend upon specific server/application configs.

The one that concerns me most is the cookie parsing vulnerability discussed in the “Attempt 3” section of the post. That one looks like it’s a Lucee vulnerability that is only addressed as of Lucee, and then only if you’ve taken active measures to disable the dangerous behavior. See the referenced commit:

and the response from the Lucee team describing the countermeasures:

I don’t know if there’s a CVE for this cookie vulnerability yet.