CVE-2021-29043

MEDIUM

Liferay Digital Experience Platform < 7.3.5 - Insufficiently Protected Credentials

Title source: rule

Description

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.

References (2)

Scores

CVSS v3 5.9
EPSS 0.0020
EPSS Percentile 42.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE
CWE-522
Status published

Affected Products (50)

liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
liferay/digital_experience_platform
... and 35 more

Timeline

Published May 17, 2021
Tracked Since Feb 18, 2026