CVE-2023-33947 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.4.3.4 <7.4.3.61

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00133 pctl0.33656

Details

Liferay portal has unauthorized access to object definition via search The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

Metadata

Created: 2023-05-24T18:30:26Z
Modified: 2023-06-03T00:08:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-769c-p92r-xgxj/GHSA-769c-p92r-xgxj.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-769c-p92r-xgxj
Finding: F039
Auto approve: 1