PT-2021-18041 · Liferay · Liferay Portal+1
Published
2021-05-17
·
Updated
2025-05-13
·
CVE-2021-29043
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Liferay Portal versions 7.0.0 through 7.3.5
Liferay DXP 7.0 before fix pack 97
Liferay DXP 7.1 before fix pack 21
Liferay DXP 7.2 before fix pack 10
Liferay DXP 7.3 before fix pack 1
Description:
The Portal Store module does not obfuscate the S3 store's proxy password, allowing attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
Recommendations:
For Liferay Portal versions 7.0.0 through 7.3.5, update to a version that includes the necessary security fixes.
For Liferay DXP 7.0, apply fix pack 97 or later.
For Liferay DXP 7.1, apply fix pack 21 or later.
For Liferay DXP 7.2, apply fix pack 10 or later.
For Liferay DXP 7.3, apply fix pack 1 or later.
Fix
Information Disclosure
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal