Description

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

Remediation

References

https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md

http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response

https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal

https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643

https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca

https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r

http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html

Related Vulnerabilities

CVE-2023-3990 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:react-admin

CVE-2020-36732 Vulnerability in maven package org.webjars.npm:crypto-js

CVE-2023-29522 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2021-23337 Vulnerability in npm package lodash

Severity

Critical

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch Press Media Coverage Vendor Advisory Product VDB Entry