CVE-2024-38002 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=2023.q4.0 <2023.q4.6 || >=2023.q3.1 <2023.q3.9 || >=7.3-ga <7.3.10.u36 || >=7.4-ga <7.4.13.u92

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00364 pctl0.5767

Details

Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

Metadata

Created: 2024-10-22T18:32:11Z
Modified: 2025-08-08T21:15:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-3mfq-fp2f-vwqh/GHSA-3mfq-fp2f-vwqh.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-3mfq-fp2f-vwqh
Finding: F006
Auto approve: 1