PT-2022-10706 · Liferay · Liferay Portal+1
Published
2022-03-02
·
Updated
2024-01-31
·
CVE-2021-38266
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.2.1 and earlier
Liferay DXP versions 7.0 through 7.0 before fix pack 90
Liferay DXP versions 7.1 through 7.1 before fix pack 17
Liferay DXP versions 7.2 through 7.2 before fix pack 5
Description
The issue concerns the incorrect import of users from LDAP, allowing remote attackers to prevent legitimate users from authenticating by attempting to sign in as a user that exists in LDAP. This can be achieved by attempting to sign in as a user that exists in LDAP.
Recommendations
For Liferay Portal versions 7.2.1 and earlier, update to a version that correctly imports users from LDAP.
For Liferay DXP versions 7.0 through 7.0 before fix pack 90, apply fix pack 90 or later.
For Liferay DXP versions 7.1 through 7.1 before fix pack 17, apply fix pack 17 or later.
For Liferay DXP versions 7.2 through 7.2 before fix pack 5, apply fix pack 5 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal