CVE-2023-33950

MEDIUM6.5EPSS 0.67%

Liferay Portal has Inefficient Regular Expression

Published: 5/24/2023Modified: 2/16/2024

Also known as:GHSA-chrc-q6v3-jfv8BIT-liferay-2023-33950

Description

Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.

Affected packages (2)

Bitnami/liferay>= 7.4-update48.0, <= 7.4-update48.0, >= 7.4-update76.0, <= 7.4-update76.0
Maven/com.liferay.portal:release.portal.bom>= 7.4.3.48, < 7.4.3.77

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-33950
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950