CVE-2021-21307
published 2021-02-11CVE-2021-21307: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.19%
99.8th percentile
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lucee | lucee | — | — |
| lucee | lucee | — | — |
| lucee | lucee | — | — |
| lucee | lucee_server | >= 5.3.5.00 < 5.3.5.96 | 5.3.5.96 |
| lucee | lucee_server | >= 5.3.6.00 < 5.3.6.68 | 5.3.6.68 |
| lucee | lucee_server | >= 5.3.7.00 < 5.3.7.47 | 5.3.7.47 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
POST request to /lucee/admin/imgProcess.cfm with file path traversal parameter (e.g., file=/../../../context/)
- →Detect unauthenticated POST requests to /lucee/admin/imgProcess.cfm with a 'file' parameter containing path traversal sequences (e.g., /../../../context/) — this is the file write primitive used for RCE. ↗
- →Monitor for creation of new .cfm files in the Lucee web context directory, especially files not deployed by normal application processes, as the exploit writes a webshell there. ↗
- →Response body containing 'uid=', 'gid=', and 'groups=' strings from a Lucee .cfm endpoint indicates successful RCE via the webshell. ↗
- →The exploit requires no authentication; any unauthenticated POST to /lucee/admin/imgProcess.cfm should be treated as suspicious and investigated. ↗
- ·The exploit uses a path traversal in the 'file' query parameter of imgProcess.cfm to write a webshell outside the admin directory into the web context. The traversal depth (/../../../context/) may vary depending on the server's directory layout. ↗
- ·The written webshell filename is randomized per exploitation attempt (randstr), so static filename-based detection is not reliable; focus on behavioral detection of new .cfm files and subsequent POST requests with 'cmd' parameters. ↗
- ·The exploit executes commands as the Tomcat user, not root; post-exploitation activity should be monitored under the Tomcat process context. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Lucee Administrator imgProcess.cfm Arbitrary File Write
metasploit
Lucee Administrator imgProcess.cfm Arbitrary File Write
Lucee Administrator imgProcess.cfm Arbitrary File Write
This module exploits an arbitrary file write in Lucee Administrator's imgProcess.cfm file to execute commands as the Tomcat user.
Nuclei
Lucee Admin - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-21307 [CRITICAL] Lucee Admin - Remote Code Execution
Lucee Admin - Remote Code Execution
Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.
Template:
id: CVE-2021-21307
info:
name: Lucee Admin - Remote Code Execution
author: dhiyaneshDk
severity: critical
description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator.
reference:
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/b
No writeups or analysis indexed.
http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-responsehttp://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.htmlhttps://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643https://github.com/httpvoid/writeups/blob/main/Apple-RCE.mdhttps://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1cahttps://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7rhttps://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portalhttp://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-responsehttp://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.htmlhttps://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643https://github.com/httpvoid/writeups/blob/main/Apple-RCE.mdhttps://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1cahttps://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7rhttps://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal
2021-02-11
Published
Exploited in the wild