CVE-2024-26267 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=0 <7.2.10.fp19 || >=7.3.0 <7.3.10.u5 || >=7.4.0 <7.4.13.u26

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00224 pctl0.45005

Details

Liferay Portal and Liferay DXP HTTP Header Can Expose Versions In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.

Metadata

Created: 2024-02-20T15:31:03Z
Modified: 2025-07-29T13:04:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2mvj-q2q3-wxjv/GHSA-2mvj-q2q3-wxjv.json
CWE IDs: ["CWE-1188"]
Alternative ID: GHSA-2mvj-q2q3-wxjv
Finding: F014
Auto approve: 1