Description
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
http://liferay.com
Vendor Advisory x_refsource_misc
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266
Issue Tracking, Vendor Advisory x_refsource_misc
https://issues.liferay.com/browse/LPE-17191
Scores
CVSS v3
7.5
EPSS
0.0185
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (3)
com.liferay/com.liferay.portal.security.ldap.impl
0 - 2.0.19Maven
com.liferay.portal/release.dxp.bom
0 - 7.3.0-ga1Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Mar 02, 2022
Tracked Since
Feb 18, 2026