CVE-2024-25607 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.3.0 <7.3.10.u4 || >=0 <7.2.10.fp17 || >=7.4.0 <7.4.13.u16

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00131 pctl0.33514

Details

Liferay Portal defaults to a low work factor for the default password hashing algorithm The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.

Metadata

Created: 2024-02-20T12:31:00Z
Modified: 2024-12-11T22:02:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-43h9-p3j4-39hm/GHSA-43h9-p3j4-39hm.json
CWE IDs: ["CWE-916"]
Alternative ID: GHSA-43h9-p3j4-39hm
Finding: F052
Auto approve: 1