PT-2024-21321 · Liferay · Liferay Portal+1
Barnabás Horváth
+1
·
Published
2024-02-20
·
Updated
2025-01-28
·
CVE-2024-26268
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.2.0 through 7.4.3.26
Liferay DXP versions prior to 7.4 update 27
Liferay DXP versions prior to 7.3 update 8
Liferay DXP versions prior to 7.2 fix pack 20
Description
The issue allows remote attackers to determine if an account exists in the application by comparing the request's response time. This is a user enumeration vulnerability that can be exploited by analyzing the time it takes for the application to respond to requests.
Recommendations
For Liferay Portal versions 7.2.0 through 7.4.3.26, update to a version outside of this range to resolve the issue.
For Liferay DXP versions prior to 7.4 update 27, apply update 27 or later.
For Liferay DXP versions prior to 7.3 update 8, apply update 8 or later.
For Liferay DXP versions prior to 7.2 fix pack 20, apply fix pack 20 or later.
Fix
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal