CVE-2021-29052

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.0 through 7.3.5 Liferay DXP 7.3 before fix pack 1

Description: The issue concerns the Data Engine module, which fails to check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey. This allows remote authenticated users to view DDMStructures via GET API calls.

Recommendations: For Liferay Portal versions 7.3.0 through 7.3.5, update to a version that includes the fix for this issue. For Liferay DXP 7.3 before fix pack 1, apply fix pack 1 to resolve the issue. As a temporary workaround, consider restricting access to the DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey function until a patch is available.