CVE-2021-29043
MEDIUMLiferay Digital Experience Platform < 7.3.5 - Insufficiently Protected Credentials
Title source: ruleDescription
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
http://liferay.com
Vendor Advisory x_refsource_misc
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515
Scores
CVSS v3
5.9
EPSS
0.0020
EPSS Percentile
42.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (3)
com.liferay.portal/release.dxp.bom
0 - 7.0.10.fp97Maven
com.liferay.portal/release.portal.bom
7.0.0 - 7.3.6Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
May 17, 2021
Tracked Since
Feb 18, 2026