PT-2021-18039 · Liferay · Liferay Portal+1
Published
2021-05-16
·
Updated
2025-05-13
·
CVE-2021-29040
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Liferay Portal versions 7.3.4 and earlier
Liferay DXP versions 7.0 through 7.0 before fix pack 97
Liferay DXP versions 7.1 through 7.1 before fix pack 20
Liferay DXP versions 7.2 through 7.2 before fix pack 10
Description:
The JSON web services may provide overly verbose error messages, allowing remote attackers to use the contents of error messages to help launch more focused attacks via crafted inputs.
Recommendations:
For Liferay Portal versions 7.3.4 and earlier, update to a version later than 7.3.4.
For Liferay DXP versions 7.0 through 7.0 before fix pack 97, apply fix pack 97 or later.
For Liferay DXP versions 7.1 through 7.1 before fix pack 20, apply fix pack 20 or later.
For Liferay DXP versions 7.2 through 7.2 before fix pack 10, apply fix pack 10 or later.
As a temporary workaround, consider restricting access to the JSON web services to minimize the risk of exploitation.
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal