CVE-2021-38266
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/03/2022
Last modified:
13/05/2022
Description
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:* | 7.2.1 (including) | |
| cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page