CVE-2021-38266 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=0 <7.3.0-ga1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01851 pctl0.82304

Details

Liferay Portal and Liferay DXP fails to properly import users from LDAP Security LDAP Implementation before 2.0.16 from Liferay Portal through v7.2.1 and Liferay DXP through v7.2 does not correctly import users from LDAP, allowing remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exists in LDAP.

Metadata

Created: 2022-03-04T00:00:22Z
Modified: 2025-07-14T20:52:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-jp3m-vh3g-6ggp/GHSA-jp3m-vh3g-6ggp.json
CWE IDs: []
Alternative ID: GHSA-jp3m-vh3g-6ggp
Finding: F006
Auto approve: 1