Fluid Attacks Database

Description

Liferay Portal and Liferay DXP Potentially Reveal LDAP Server Password via Unsafe Connection Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.dxp.bom	>=7.0.0 <7.0.10.fp89 \|\| >=7.1.0 <7.1.10.fp17 \|\| >=7.2.0 <7.2.10.fp4	7.0.10.fp89, 7.1.10.fp17, 7.2.10.fp4
maven	com.liferay.portal:release.portal.bom	>=0 <7.3.0	7.3.0

Aliases

1. CVE-2020-158412. NVD-2020-158413. OSV-2020-158414. GCVE-2020-15841

References

1. https://issues.liferay.com/browse/LPE-169282. https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439