With the recently published Lucee vulnerabilities (HoyaHaxa: A Security Research Blog: Thinking Defensively about Three Recent Lucee Vulnerabilities), I see that the RCE issue with isDefined(), structGet() and empty() can be prevented using the new lucee.security.limitEvaluation environment property, but it requires Lucee 5.4.5.8 or higher, which are currently only available as Snapshots.Any idea when a production release of 5.4.5.x will be made?
3 posts - 3 participants