CVE-2021-21307 — HIGH (8.6)

Q: How severe is CVE-2021-21307?

CVE-2021-21307 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21307?

Check the references section above for vendor advisories and patch information. Affected products include: Lucee Lucee Server.

Vulnerability Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lucee	Lucee Server	>= 5.3.5.00, < 5.3.5.96

Related Weaknesses (CWE)

CWE-862

References

http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-responsePatchThird Party Advisory
http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-AExploitThird Party AdvisoryVDB Entry
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643Vendor Advisory
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.mdExploitThird Party Advisory
https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1caPatchThird Party Advisory
https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7rProduct
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-Press/Media CoverageThird Party Advisory
http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-responsePatchThird Party Advisory
http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-AExploitThird Party AdvisoryVDB Entry
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643Vendor Advisory
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.mdExploitThird Party Advisory
https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1caPatchThird Party Advisory
https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7rProduct
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-Press/Media CoverageThird Party Advisory

FAQ

What is CVE-2021-21307?

CVE-2021-21307 is a vulnerability with a CVSS score of 8.6 (HIGH). Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauth...

How severe is CVE-2021-21307?

CVE-2021-21307 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21307?

Check the references section above for vendor advisories and patch information. Affected products include: Lucee Lucee Server.