{"containers":{"cna":{"affected":[{"product":"Lucee","vendor":"lucee","versions":[{"status":"affected","version":">= 5.3.5.0, < 5.3.5.96"},{"status":"affected","version":">= 5.3.6.0, < 5.3.6.68"},{"status":"affected","version":">= 5.3.7.0, < 5.3.7.47"}]}],"descriptions":[{"lang":"en","value":"Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-08-17T16:06:12.000Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"},{"tags":["x_refsource_MISC"],"url":"https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"},{"tags":["x_refsource_MISC"],"url":"https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"},{"tags":["x_refsource_MISC"],"url":"https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"},{"tags":["x_refsource_MISC"],"url":"https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"},{"tags":["x_refsource_MISC"],"url":"http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"}],"source":{"advisory":"GHSA-2xvv-723c-8p7r","discovery":"UNKNOWN"},"title":"Remote Code Exploit in Lucee Admin","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-21307","STATE":"PUBLIC","TITLE":"Remote Code Exploit in Lucee Admin"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Lucee","version":{"version_data":[{"version_value":">= 5.3.5.0, < 5.3.5.96"},{"version_value":">= 5.3.6.0, < 5.3.6.68"},{"version_value":">= 5.3.7.0, < 5.3.7.47"}]}}]},"vendor_name":"lucee"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-862: Missing Authorization"}]}]},"references":{"reference_data":[{"name":"https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r","refsource":"CONFIRM","url":"https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"},{"name":"https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca","refsource":"MISC","url":"https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"},{"name":"https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643","refsource":"MISC","url":"https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"},{"name":"https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md","refsource":"MISC","url":"https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"},{"name":"https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal","refsource":"MISC","url":"https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"},{"name":"http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response","refsource":"MISC","url":"http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"},{"name":"http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"}]},"source":{"advisory":"GHSA-2xvv-723c-8p7r","discovery":"UNKNOWN"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T18:09:15.162Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"}]}]},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2021-21307","datePublished":"2021-02-11T18:20:21.000Z","dateReserved":"2020-12-22T00:00:00.000Z","dateUpdated":"2024-08-03T18:09:15.162Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}