PT-2024-20776 · Liferay · Liferay Portal+1
Published
2024-02-07
·
Updated
2024-11-08
·
CVE-2024-25143
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.2.0 through 7.3.6
Liferay DXP 7.3 before service pack 3
Liferay DXP 7.2 before fix pack 13
Description
The Document and Media widget in Liferay Portal does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
Recommendations
For Liferay Portal versions 7.2.0 through 7.3.6, update to a version that includes the fix for this issue.
For Liferay DXP 7.3, apply service pack 3 or later.
For Liferay DXP 7.2, apply fix pack 13 or later.
As a temporary workaround, consider disabling the Document and Media widget until a patch is available.
Restrict access to the widget to minimize the risk of exploitation.
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal