Auth bypass in Lucee
CVE-2021-21307
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is…
Vulnerability class: Broken Access Control
EPSS: 0.921 (99.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.
Affected products
- Lucee — versions >= 5.3.5.0, < 5.3.5.96, >= 5.3.6.0, < 5.3.6.68, >= 5.3.7.0, < 5.3.7.47
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r (x_refsource_CONFIRM)
- github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca (x_refsource_MISC)
- dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643 (x_refsource_MISC)
- github.com/httpvoid/writeups/blob/main/Apple-RCE.md (x_refsource_MISC)
- portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critica… (x_refsource_MISC)
- ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response (x_refsource_MISC)
- packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitra… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-21307?
- CVE-2021-21307 is a high-severity vulnerability in Lucee, classified under Missing Authorization. CVSS score: 8.6/10. Published 2021-02-11.
- How severe is CVE-2021-21307?
- High severity. CVSS v3 base score is 8.6 out of 10.
- Is CVE-2021-21307 known to be exploited?
- 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.