CVE-2021-21307 Remote Code Exploit in Lucee Admin

2021-02-1118:20:21

CWE-862

GitHub_M

www.cve.org

cve-2021-21307

remote code exploit

lucee admin

unauthenticated

java based

web application.

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.973

Percentile

99.9%

JSON

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

CNA Affected

[
  {
    "product": "Lucee",
    "vendor": "lucee",
    "versions": [
      {
        "status": "affected",
        "version": ">= 5.3.5.0, < 5.3.5.96"
      },
      {
        "status": "affected",
        "version": ">= 5.3.6.0, < 5.3.6.68"
      },
      {
        "status": "affected",
        "version": ">= 5.3.7.0, < 5.3.7.47"
      }
    ]
  }
]