CVE-2024-26267

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.25 Liferay DXP 7.4 before update 26 Liferay DXP 7.3 before update 5 Liferay DXP 7.2 before fix pack 19

Description The default value of the portal property http.header.version.verbosity is set to full, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal' response header.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.25, update to a version where the http.header.version.verbosity property is not set to full. For Liferay DXP 7.4 before update 26, apply update 26 to change the default value of the http.header.version.verbosity property. For Liferay DXP 7.3 before update 5, apply update 5 to change the default value of the http.header.version.verbosity property. For Liferay DXP 7.2 before fix pack 19, apply fix pack 19 to change the default value of the http.header.version.verbosity property. As a temporary workaround, consider changing the http.header.version.verbosity property to a value other than full to minimize the risk of exploitation.