CVE-2021-21307

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response	Patch Third Party Advisory
http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html	Exploit Third Party Advisory VDB Entry
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643	Vendor Advisory
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md	Exploit Third Party Advisory
https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca	Patch Third Party Advisory
https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r	Product
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal	Press/Media Coverage Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:lucee:lucee_server::::::::
	cpe:2.3:a:lucee:lucee_server::::::::
	cpe:2.3:a:lucee:lucee_server::::::::

History

No history.

Information

Published : 2021-02-11 19:15

Updated : 2021-09-21 16:39

NVD link : CVE-2021-21307

Mitre link : CVE-2021-21307

CVE.ORG link : CVE-2021-21307

JSON object : View

Products Affected

lucee

lucee_server

CWE

CWE-862

Missing Authorization

{"id": "CVE-2021-21307", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2021-02-11T19:15:13.313", "references": [{"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "security-advisories@github.com"}, {"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."}, {"lang": "es", "value": "Lucee Server es un lenguaje din\u00e1mico, de etiquetado y scripting de comandos basado en Java (JSR-223) que es utilizado para el desarrollo r\u00e1pido de aplicaciones web. En Lucee Admin anterior a versiones 5.3.7.47, 5.3.6.68 o 5.3.5.96 se presenta una explotaci\u00f3n de c\u00f3digo remota no autenticada. Esto es corregido en las versiones 5.3.7.47, 5.3.6.68 o 5.3.5.96. Como soluci\u00f3n alternativa, se puede bloquear el acceso a Lucee Administrator"}], "lastModified": "2021-09-21T16:39:50.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F63963E7-D380-493F-B75B-4FBCDD646D97", "versionEndExcluding": "5.3.5.96", "versionStartIncluding": "5.3.5.00"}, {"criteria": "cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3653F1B9-18A4-4AA2-906E-C74FD9FF0611", "versionEndExcluding": "5.3.6.68", "versionStartIncluding": "5.3.6.00"}, {"criteria": "cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9ED241BC-C6BA-4DBC-BD08-3FC8A529350E", "versionEndExcluding": "5.3.7.47", "versionStartIncluding": "5.3.7.00"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}