Fluid Attacks Database

Description

Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=0 <7.3.0	7.3.0
maven	com.liferay.portal:release.dxp.bom	>=7.0.0 <7.0.10.fp90 \|\| >=7.1.0 <7.1.10.fp17 \|\| >=7.2.0 <7.2.10.fp5	7.0.10.fp90, 7.1.10.fp17, 7.2.10.fp5

Aliases

1. CVE-2020-158422. NVD-2020-158423. OSV-2020-158424. GCVE-2020-15842

References

1. https://issues.liferay.com/browse/LPE-169632. https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427