{"id":"CVE-2021-21307","details":"Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.","aliases":["GHSA-2xvv-723c-8p7r"],"modified":"2026-07-09T11:24:10.089699Z","published":"2021-02-11T19:15:13.313Z","database_specific":{"unresolved_ranges":[{"vendor_product":"lucee:lucee_server","extracted_events":[{"introduced":"5.3.5.00"},{"fixed":"5.3.5.96"},{"introduced":"5.3.6.00"},{"fixed":"5.3.6.68"}],"source":"CPE_RANGE","cpes":["cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"},{"type":"ADVISORY","url":"https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"},{"type":"ADVISORY","url":"https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"},{"type":"FIX","url":"http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"},{"type":"FIX","url":"https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"},{"type":"EVIDENCE","url":"https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lucee/lucee","events":[{"introduced":"0"},{"fixed":"d6c3bfb7de0b35e1ff1a0ed680d6041420ccb0d8"},{"fixed":"6208ab7c44c61d26c79e0b0af10382899f57e1ca"}],"database_specific":{"extracted_events":[{"introduced":"5.3.7.00"},{"fixed":"5.3.7.47"}],"cpe":"cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["5.3.7.46","5.3.8.84","5.3.7.45","5.3.7.44","5.3.8.88","5.3.8.87","5.3.8.86","5.3.8.85","5.3.8.83","5.3.8.82","5.3.8.80","5.3.8.79","5.3.8.78","5.3.8.77","5.3.7.43","5.3.8.76","5.3.8.75","5.3.8.74","5.3.8.73","5.3.8.72","5.3.8.71","5.3.7.42","5.3.7.41","5.3.8.70","5.3.8.69","5.3.8.68","5.3.7.40","5.3.8.67","5.3.8.66","5.3.8.65","5.3.8.64","5.3.8.63","5.3.8.62","5.3.8.61","5.3.8.60","5.3.8.59","5.3.8.58","5.3.8.57","5.3.8.56","5.3.8.55","5.3.8.54","5.3.8.53","5.3.8.52","5.3.8.51","5.3.8.50","5.3.8.49","5.3.8.48","5.3.8.47","5.3.8.46","5.3.8.45","5.3.8.44","5.3.8.43","5.3.8.42","5.3.7.39","5.3.8.41","5.3.7.38","5.3.8.40","5.3.7.37","5.3.8.39","5.3.8.38","5.3.8.37","5.3.8.36","5.3.7.36","5.3.8.35","5.3.7.35","5.3.8.34","5.3.8.33","5.3.8.32","5.3.8.31","5.3.8.30","5.3.8.29","5.3.8.28","5.3.8.27","5.3.8.26","5.3.8.25","5.3.8.24","5.3.8.23","5.3.8.22","5.3.8.21","5.3.8.20","5.3.7.34","5.3.8.19","5.3.8.18","5.3.8.17","5.3.8.16","5.3.8.15","5.3.8.14","5.3.8.13","5.3.8.12","5.3.8.11","5.3.8.10","5.3.8.9","5.3.8.8","5.3.8.7","5.3.8.6","5.3.8.5","5.3.8.4","5.3.8.3","5.3.8.2","5.3.8.1","5.3.8.0","5.3.7.33","5.3.7.32","5.3.7.31","5.3.7.30","5.3.7.29","5.3.7.28","5.3.7.27","5.3.7.26","5.3.7.25","5.3.7.24","5.3.7.23","5.3.7.22","5.3.7.21","5.3.7.20","5.3.7.19","5.3.7.18","5.3.7.17","5.3.7.16","5.3.7.15","5.3.7.14","5.3.7.13","5.3.7.12","5.3.7.11","5.3.7.10","5.3.7.9","5.3.7.8","5.3.7.7","5.3.7.6","5.3.7.5","5.3.7.4","5.3.7.3","5.3.7.2","5.3.7.1","5.3.7.0","5.3.6.52","5.3.6.50","5.3.6.49","5.3.6.48","5.3.6.47","5.3.6.46","5.3.6.45","5.3.6.44","5.3.6.43","5.3.6.42","5.3.6.41","5.3.6.40","5.3.6.39","5.3.6.38","5.3.6.37","5.3.6.36","5.3.6.35","5.3.6.34","5.3.6.33","5.3.6.32","5.3.6.31","5.3.6.30","5.3.6.29","5.3.6.28","5.3.6.27","5.3.6.26","5.3.6.25","5.3.6.24","5.3.6.23","5.3.6.22","5.3.6.21","5.3.6.20","5.3.6.19","5.3.6.18","5.3.6.17","5.3.6.16","5.3.6.15","5.3.6.14","5.3.6.13","5.3.6.12","5.3.6.11","5.3.6.10","5.3.6.9","5.3.6.8","5.3.6.7","5.3.6.6","5.3.6.5","5.3.6.4","5.3.6.3","5.3.6.2","5.3.5.81b","5.3.6.1","5.3.6.0","5.3.5.81","5.3.5.80","5.3.5.79","5.3.5.78","5.3.5.77","5.3.5.75","5.3.5.76","5.3.5.74","5.3.5.73","5.3.5.72","5.3.5.71","5.3.5.70","5.3.5.69","5.3.5.68","5.3.5.67","5.3.5.66","5.3.5.65","5.3.5.64","5.3.5.63","5.3.5.62","5.3.5.61","5.3.5.60","5.3.5.59","5.3.5.58","5.3.5.57","5.3.5.56","5.3.5.52","5.3.5.51","5.3.5.50","5.3.5.49","5.3.5.48","5.3.5.47","5.3.5.46","5.3.5.45","5.3.5.44","5.3.5.43","5.3.5.42","5.3.5.41","5.3.5.40","5.3.5.39","5.3.5.38","5.3.5.37","5.3.5.11","5.3.5.36","5.3.5.35","5.3.5.34","5.3.5.33","5.3.5.32","5.3.5.31","5.3.5.30","5.3.5.29","5.3.5.28","5.3.5.27","5.3.5.26","5.3.5.25","5.3.5.24","5.3.5.23","5.3.5.22","5.3.5.14","5.3.5.13","5.3.5.12","5.3.5.10","5.3.5.9","5.3.5.8","5.3.5.7","5.3.5.6","5.3.5.5","5.3.5.4","5.3.5.3","5.3.4.53","5.3.5.2","5.3.5.1","5.3.5.0","5.3.4.52","5.3.4.51","5.3.4.50","5.3.4.49","5.3.4.48","5.3.4.47","5.3.4.46","5.3.4.45","5.3.4.44","5.3.4.42","5.3.4.41","5.3.4.40","5.3.4.39","5.3.4.38","5.3.4.37","5.3.4.36","5.3.4.35","5.3.4.34","5.3.2.41","5.3.2.40","5.3.2.38","5.3.2.37","5.3.2.36","5.3.2.35","5.3.2.34","5.3.2.33","5.3.2.32","5.3.2.31","5.3.2.30","5.3.2.29","5.3.2.28","5.3.2.27","5.3.2.26","5.3.2.25","5.3.2.24","5.3.2.23","5.3.2.22","5.3.2.21","5.3.2.20","5.3.2.19","5.3.2.18","5.3.2.17","5.3.2.16","5.3.2.15","5.3.2.14","5.3.2.13","5.3.2.12","5.3.2.11","5.3.2.10","5.3.2.9","5.3.2.8","5.3.2.7","5.3.2.6","5.3.2.5","5.3.2.4","5.3.1.87","5.3.2.3","5.3.2.2","5.3.2.1","5.3.2.0","5.3.1.86","5.3.1.84","5.3.1.83","5.3.1.82","5.3.1.81","5.3.1.80","5.3.1.79","5.3.1.78","5.3.1.76","5.3.1.75","5.3.1.74","5.3.1.73","5.3.1.72","5.3.1.71","5.3.1.70","5.3.1.69","5.3.1.68","5.3.1.67","5.3.1.66","5.3.1.65","5.3.1.62","5.3.1.61","5.3.1.60","5.3.1.59","5.3.1.58","5.3.1.57","5.3.1.56","5.3.1.55","5.3.1.54","5.3.1.53","5.3.1.52","5.3.1.51","5.3.1.50","5.3.1.49","5.3.1.48","5.3.1.47","5.3.1.46","5.3.1.45","5.3.1.44","5.3.1.43","5.3.1.42","5.3.1.41","5.3.1.40","5.3.1.39","5.3.1.38","5.3.1.37","5.3.1.36","5.3.1.35","5.3.1.34","5.3.1.33","5.3.1.32","5.3.1.31","5.3.1.30","5.3.1.29","5.3.1.28","5.3.1.27","5.3.1.26","5.3.1.25","5.3.1.24","5.3.1.23","5.3.1.22","5.3.1.21","5.3.1.20","5.3.1.19","5.3.1.18","5.3.1.17","5.3.1.15","5.3.1.14","5.3.1.13","5.3.1.12","5.3.1.11","5.3.1.10","5.3.1.9","5.3.1.7","5.3.1.6","5.3.1.5","5.3.1.4","5.3.1.3","5.3.1.2","5.3.0.85","5.3.0.84","5.3.0.83","5.3.0.81","5.3.0.80","5.3.0.78","5.3.0.76","5.3.0.74","5.3.0.73","5.3.0.65","5.3.0.72","5.3.0.71","5.3.0.59","5.3.0.67","5.3.0.66","5.3.0.64","5.3.0.63","5.3.0.62","5.3.0.55","5.3.0.54","5.3.0.53","5.3.0.52","5.3.0.50","5.3.0.49","5.3.0.48","5.3.0.47","5.3.0.45","5.3.0.27","5.3.0.26","5.3.0.25","5.3.0.24","5.3.0.23","5.3.0.22","5.3.0.21","5.3.0.20","5.3.0.19","5.3.0.18","5.3.0.17","5.3.0.16","5.3.0.15","5.3.0.14","5.3.0.13","5.3.0.12","5.3.0.0","5.2.1.7","5.2.2.2","5.2.2.1","5.2.2.0","5.2.1.6","5.2.1.5","5.2.1.1","5.2.1.0","5.2.0.11","5.2.0.10","5.2.0.9","5.2.0.8","5.2.0.7","5.2.0.6","5.2.0.5","5.2.0.4","5.2.0.3","5.2.0.2","5.2.0.1","5.2.0.0","5.0.0.0","5.1.1.25","5.1.1.24","5.1.1.23","5.1.1.22","5.1.1.21","5.1.1.20","5.1.1.19","5.1.1.18","5.1.1.17","5.1.1.16","5.1.1.15","5.1.1.14","5.1.1.13","5.1.1.11","5.1.1.10","5.1.1.9","5.1.1.8","5.1.1.7","5.1.1.6","5.1.1.5","5.1.1.4","5.1.1.3","5.1.1.2","5.1.1.1","5.1.1.0","5.1.0.34","5.1.0.33","5.1.0.32","5.1.0.31","5.1.0.30","5.1.0.29","5.1.0.28","5.1.0.26","5.1.0.25","5.1.0.24","5.1.0.23","5.0.0.252","5.1.0.22","5.1.0.20","5.1.0.18","5.1.0.17","5.1.0.16","5.1.0.15","5.1.0.14","5.1.0.13","5.1.0.12","5.1.0.11","5.1.0.10","5.1.0.9","5.1.0.008","5.1.0.007","5.1.0.006","5.1.0.005","5.1.0.004","5.1.0.003","5.1.0.002","5.1.0.001","5.1.0.000","5.0.0.251","5.0.0.250","5.0.0.249","5.0.0.248","5.0.0.247","5.0.0.246","5.0.0.245","5.0.0.243","5.0.0.242","5.0.0.241","5.0.0.239","5.0.0.238","5.0.0.237","5.0.0.236","5.0.0.235","5.0.0.234","5.0.0.233","5.0.0.232","5.0.0.231","5.0.0.230","5.0.0.229","5.0.0.228","5.0.0.227","5.0.0.226","5.0.0.225","5.0.0.224","5.0.0.223","5.0.0.222","5.0.0.221","5.0.0.220","5.0.0.219","5.0.0.218","5.0.0.217","5.0.0.216","5.0.0.215","5.0.0.214","5.0.0.213","5.0.0.212","5.0.0.211","5.0.0.210","5.0.0.208","5.0.0.207","5.0.0.206","5.0.0.205","5.0.0.204","5.0.0.203","5.0.0.202","5.0.0.201","5.0.0.200","5.0.0.199","5.0.0.198","5.0.0.197","5.0.0.196","5.0.0.195","5.0.0.194","5.0.0.193","5.0.0.192","5.0.0.191","5.0.0.190","5.0.0.189","5.0.0.188","5.0.0.187","5.0.0.186","5.0.0.185","5.0.0.184","5.0.0.183","5.0.0.182","5.0.0.181","5.0.0.179","5.0.0.180","5.0.0.178","5.0.0.177","5.0.0.176","5.0.0.175","5.0.0.174","5.0.0.173","5.0.0.172","5.0.0.171","5.0.0.170","5.0.0.169","5.0.0.168","5.0.0.167","5.0.0.166","5.0.0.165","5.0.0.164","5.0.0.163","5.0.0.162","5.0.0.161","5.0.0.160","5.0.0.159","5.0.0.158","5.0.0.157","5.0.0.156","5.0.0.155","5.0.0.154","5.0.0.152","5.0.0.151","5.0.0.150","5.0.0.149","5.0.0.148","5.0.0.147","5.0.0.146","5.0.0.145","5.0.0.144","5.0.0.143","5.0.0.142","5.0.0.141","5.0.0.140","5.0.0.139","5.0.0.138","5.0.0.137","5.0.0.136","5.0.0.135","5.0.0.134","5.0.0.133","5.0.0.132","5.0.0.131","5.0.0.130","5.0.0.129","5.0.0.128","5.0.0.127","5.0.0.126","5.0.0.125","5.0.0.124","5.0.0.123","5.0.0.122","5.0.0.121","5.0.0.120","5.0.0.119","5.0.0.118","5.0.0.117","5.0.0.116","5.0.0.115","5.0.0.114","5.0.0.113","5.0.0.112","5.0.0.111","5.0.0.110","5.0.0.109","5.0.0.108","5.0.0.107","5.0.0.106","5.0.0.105","5.0.0.104","5.0.0.103","5.0.0.102","5.0.0.101","5.0.0.100","5.0.0.99","5.0.0.98","5.0.0.97","5.0.0.96","5.0.0.95","5.0.0.94","5.0.0.93","5.0.0.92","5.0.0.91","5.0.0.90","5.0.0.89","5.0.0.88","5.0.0.87","5.0.0.86","5.0.0.85","5.0.0.84","5.0.0.83","5.0.0.82","5.0.0.76","5.0.0.75"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/lucee/lucee/commit/d6c3bfb7de0b35e1ff1a0ed680d6041420ccb0d8","deprecated":false,"signature_version":"v1","id":"CVE-2021-21307-a15687a5","signature_type":"Function","digest":{"length":93,"function_hash":"239712259558828985593232441030853139854"},"target":{"file":"core/src/main/java/lucee/runtime/functions/xml/XmlSearch.java","function":"UniversalNamespaceResolver"}},{"source":"https://github.com/lucee/lucee/commit/d6c3bfb7de0b35e1ff1a0ed680d6041420ccb0d8","deprecated":false,"signature_version":"v1","id":"CVE-2021-21307-b82d5e23","signature_type":"Line","digest":{"line_hashes":["254074525937126089881805528572628868100","72115653166600875408768514801179748055","310760279169534291753704800026021760094","318802832729453863868438501030830146883","245439410404327880770101712445769535699","152592275944404744764914945575102132964","336241066009702003119339132473089439919","160364461121799337034726217857278483583"],"threshold":0.9},"target":{"file":"core/src/main/java/lucee/runtime/functions/xml/XmlSearch.java"}}],"vanir_signatures_modified":"2026-07-09T11:24:10Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21307.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}