CVE-2020-7961 – com.liferay.portal:com.liferay.portal.kernel

Package

Manager: maven
Name: com.liferay.portal:com.liferay.portal.kernel
Vulnerable Version: >=0 <4.35.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94412 pctl0.99976

Details

Deserialization of Untrusted Data in Liferay Portal Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Metadata

Created: 2022-05-24T17:12:05Z
Modified: 2024-08-28T15:29:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w7pm-cc4v-f3g8/GHSA-w7pm-cc4v-f3g8.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-w7pm-cc4v-f3g8
Finding: F096
Auto approve: 1