CVE-2021-21307

HIGH EXPLOITED NUCLEI

Lucee Server <5.3.7.47-5.3.6.68-5.3.5.96 - RCE

Title source: llm

Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

Exploits (3)

vulncheck_xdb WRITEUP
remote
https://github.com/httpvoid/writeups
vulncheck_xdb WORKING POC
remote
https://github.com/httpvoid/CVE-Reverse
metasploit WORKING POC EXCELLENT
by rootxharsh, iamnoooob, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb

Nuclei Templates (1)

Lucee Admin - Remote Code Execution
CRITICALby dhiyaneshDk

References (7)

Scores

CVSS v3 8.6
EPSS 0.9206
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

VulnCheck KEV 2023-11-29
CWE
CWE-862
Status published
Products (1)
lucee/lucee_server 5.3.5.00 - 5.3.5.96
Published Feb 11, 2021
Tracked Since Feb 18, 2026