CVE-2021-33325

MEDIUM4.9EPSS 0.12%

Liferay Portal and Liferay DXP Stores User Passwords in Cleartext

Published: 5/24/2022Modified: 5/14/2025

Description

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.

Affected packages (2)

Maven/com.liferay.portal:release.dxp.bomfrom 0, < 7.0.10.fp93
Maven/com.liferay.portal:release.portal.bom>= 7.3.0, <= 7.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33325
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17042
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389