Fluid Attacks Database

Description

Liferay Portal defaults to a low work factor for the default password hashing algorithm The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=0 <7.4.3.14	7.4.3.14
maven	com.liferay.portal:release.dxp.bom	>=7.3.0 <7.3.10.u4 \|\| >=0 <7.2.10.fp17 \|\| >=7.4.0 <7.4.13.u16	7.3.10.u4, 7.2.10.fp17, 7.4.13.u16
maven	com.liferay.portal:com.liferay.portal.kernel	>=0 <38.0.0	38.0.0

Aliases

1. CVE-2024-256072. NVD-2024-256073. OSV-2024-256074. GCVE-2024-25607

References

1. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607