CVE-2021-33334

MEDIUM4.3EPSS 0.08%

Liferay Portal and Liferay DXP Fails to Properly Check User Permissions

發布日:2022/5/24修改日:2025/5/14

描述

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bom>= 7.0.10.fp0, < 7.0.10.fp94
Maven/com.liferay.portal:release.portal.bom>= 7.0.0, <= 7.3.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33334
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17039
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332