CVE-2021-21307
Remote Code Exploit in Lucee Admin
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 22, 2020
- Published Date
- February 11, 2021
- Last Updated
- August 03, 2024
- Vendor
- lucee
- Product
- Lucee
- Description
- Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
CVSS Scores
CVSS v3.1
8.6 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS Score
- Score
- 92.97% (Percentile: 99.76%) as of 2025-04-29
Exploit Status
- Exploited in the Wild
- Yes (added 2025-04-22 00:00:00 UTC) Source
References
https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal
http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response
http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-04-22 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb | 2025-04-29 11:01:13 UTC |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21307.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
lucee_admin_imgprocess_file_write
Type: metasploit • Created: Unknown
Metasploit module for CVE-2021-21307