CVE-2020-15842 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.0.0 <7.0.10.fp90 || >=7.1.0 <7.1.10.fp17 || >=7.2.0 <7.2.10.fp5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0057 pctl0.67632

Details

Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

Metadata

Created: 2022-05-24T17:23:59Z
Modified: 2025-05-28T20:01:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mg3r-9jh8-33r9/GHSA-mg3r-9jh8-33r9.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-mg3r-9jh8-33r9
Finding: F096
Auto approve: 1