CVE-2021-33327

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.3.3 Liferay DXP 7.0 fix pack 93 and 94 Liferay DXP 7.1 fix pack 18 Liferay DXP 7.2 before fix pack 8

Description The Portlet Configuration module does not properly check user permission, allowing remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.

Recommendations For Liferay Portal versions 7.2.0 through 7.3.3, update to a version that includes the fix for this issue. For Liferay DXP 7.0 fix pack 93 and 94, apply a fix pack that addresses this issue. For Liferay DXP 7.1 fix pack 18, apply a fix pack that addresses this issue. For Liferay DXP 7.2 before fix pack 8, apply fix pack 8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Portlet Configuration module until a patch is available.