CVE-2025-43819
Liferay Portal and DXP does not properly expire sessions
描述
### Summary Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context. ### Affected Versions The following platform versions are affected: * **Liferay Portal:** * `7.3.3.131` through `7.4.3.121` * **Liferay DXP:** * `2024.Q4.0`–`2024.Q4.3` * `2024.Q3.1`–`2024.Q3.13` * `2024.Q2.0`–`2024.Q2.13` * `2024.Q1.1`–`2024.Q1.12` ### Remediation Update to the fixed builds and, for Maven consumers of the SAML module, upgrade `com.liferay:com.liferay.saml.impl` to **5.0.51** or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.
如何修補 CVE-2025-43819
要修補 CVE-2025-43819,請將受影響套件升級到下列已修補版本。
- —升級至 5.0.51 或更新版本
CVE-2025-43819 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 5.0.51
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |