vulnerability

Lucee Administrator: Unauthenticated Remote Code Execution (CVE-2021-21307)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Feb 11, 2021

Added

Jun 14, 2021

Modified

Sep 10, 2021

Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting
language used for rapid web application development. In Lucee Admin before
versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote
code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As
a workaround, one can block access to the Lucee Administrator.

Solution

http-lucee-admin-cve-2021-21307

References

CVE-2021-21307
https://attackerkb.com/topics/CVE-2021-21307
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643
https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report