CVE-2021-33325

MEDIUM4.9EPSS 0.12%

Liferay Portal and Liferay DXP Stores User Passwords in Cleartext

發布日:2022/5/24修改日:2025/5/14

描述

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bomfrom 0, < 7.0.10.fp93
Maven/com.liferay.portal:release.portal.bom>= 7.3.0, <= 7.3.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33325
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17042
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389