Attacker Value

Very High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2021-21307

Disclosure Date: February 11, 2021 •

CVE-2021-21307 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by ccondon-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/linux/http/lucee_admin_imgprocess_file_write

Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

Add Assessment

ccondon-r7 (282)

October 11, 2021 12:42pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

High

Gives privileged access Unauthenticated

Technical Analysis

This is another of those products I hadn’t ever heard of before we started hearing about compromises. There’s a Metasploit module available here, hence the relatively high exploitability rating: https://github.com/rapid7/metasploit-framework/pull/15525

Mitigation is to lock down admin access, sensibly: https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

lucee

Products

lucee server

Metasploit Modules

exploit/linux/http/lucee_admin_imgprocess_file_write (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb)

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as Other: Rapid7's IR team has confirmed evidence of exploitation in the wild

Reported: July 30, 2021 3:23pm UTC (3 years ago) • Edited 3 years ago

References

Rapid7

Very High

CVE-2021-21307

Very High

High

None

None

Network

CVE-2021-21307

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2021-21307

Very High

High

None

None

Network

CVE-2021-21307

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification