vulnerability

Lucee Administrator: Unauthenticated Remote Code Execution (CVE-2021-21307)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Feb 11, 2021	Jun 14, 2021	Sep 10, 2021

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Feb 11, 2021

Added

Jun 14, 2021

Modified

Sep 10, 2021

Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting
language used for rapid web application development. In Lucee Admin before
versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote
code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As
a workaround, one can block access to the Lucee Administrator.

Solution

http-lucee-admin-cve-2021-21307

References

CVE-2021-21307
https://attackerkb.com/topics/CVE-2021-21307
URL-https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643
URL-https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
URL-https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today