Fluid Attacks Database

Description

Liferay Portal and Liferay DXP fails to properly import users from LDAP Security LDAP Implementation before 2.0.16 from Liferay Portal through v7.2.1 and Liferay DXP through v7.2 does not correctly import users from LDAP, allowing remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exists in LDAP.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay:com.liferay.portal.security.ldap.impl	>=0 <2.0.19	2.0.19
maven	com.liferay.portal:release.dxp.bom	>=0 <7.3.0-ga1	7.3.0-ga1

Aliases

1. CVE-2021-382662. NVD-2021-382663. OSV-2021-382664. GCVE-2021-38266

References

1. https://github.com/liferay/liferay-portal/commit/c3d1e3c7b18be0791360bb57428ea8234bcbb7362. https://issues.liferay.com/browse/LPE-171913. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38266?p_r_p_assetEntryId=121611673&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611673%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.