Fluid Attacks Database

Description

Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.3.2-ga3 <7.4.3.112-ga112	7.4.3.112-ga112
maven	com.liferay.portal:release.dxp.bom	>=2023.q4.0 <2023.q4.6 \|\| >=2023.q3.1 <2023.q3.9 \|\| >=7.3-ga <7.3.10.u36 \|\| >=7.4-ga <7.4.13.u92	2023.q4.6, 2023.q3.9, 7.3.10.u36, 7.4.13.u92

Aliases

1. CVE-2024-380022. NVD-2024-380023. OSV-2024-380024. GCVE-2024-38002

References

1. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.