CVE-2025-43786
EPSS 0.06%Liferay Portal exposes ERC which can lead to exploit the time response attack
發布日:2025/9/9修改日:2025/12/20
描述
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response.
受影響套件(3)
- Maven/com.liferay:com.liferay.headless.admin.workflow.impl>= 5.0.4, < 5.0.83
- Maven/com.liferay:com.liferay.portal.vulcan.impl>= 5.0.7, < 5.0.127
- Maven/com.liferay:com.liferay.portal.workflow.api>= 7.0.1, < 11.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-43786
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://github.com/liferay/liferay-portal/commit/8f9728086bd61661437b0aa8493c83510914a474
- WEBhttps://github.com/liferay/liferay-portal/commit/e34499eab2ce1d544835835afe6733a78b4ab532
- WEBhttps://github.com/liferay/liferay-portal/commit/e4a140d6d92e92911f08fe33051b677742531f19
- WEBhttps://liferay.atlassian.net/browse/LPE-18106
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43786