Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
| Link | Tags |
|---|---|
| https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r | product |
| https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca | third party advisory patch |
| https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643 | vendor advisory |
| https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md | third party advisory exploit |
| https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal | press/media coverage third party advisory |
| http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response | third party advisory patch |
| http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html | exploit vdb entry third party advisory |