cnvd - cnvd-2021-62972

cnvd-2021-62972

Vulnerability from cnvd

Title: Liferay Portal和Liferay DXP开放重定向漏洞

Description:

Liferay Portal和Liferay DXP都是美国Liferay公司的产品。Liferay Portal是一套基于J2EE的门户解决方案。该方案使用了EJB以及JMS等技术，并可作为Web发布和共享工作区、企业协作平台、社交网络等。Liferay DXP是一套数字化体验协作平台。

Liferay Portal和Liferay DXP存在开放重定向漏洞，攻击者可利用该漏洞通过“重定向”参数将用户重定向到任意外部url。

Severity: 中

Patch Name: Liferay Portal和Liferay DXP开放重定向漏洞的补丁

Patch Description:

Liferay Portal和Liferay DXP存在开放重定向漏洞，攻击者可利用该漏洞通过“重定向”参数将用户重定向到任意外部url。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-33331

Impacted products

Name
['Liferay Liferay DXP <7.1 fix pack 19', 'Liferay Liferay DXP <7.2 fix pack 8', 'Liferay Liferay Portal >=7.0.0，<=7.3.1', 'Liferay Liferay DXP <7.0 fix pack 94']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-33331"
    }
  },
  "description": "Liferay Portal\u548cLiferay DXP\u90fd\u662f\u7f8e\u56fdLiferay\u516c\u53f8\u7684\u4ea7\u54c1\u3002Liferay Portal\u662f\u4e00\u5957\u57fa\u4e8eJ2EE\u7684\u95e8\u6237\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u4f7f\u7528\u4e86EJB\u4ee5\u53caJMS\u7b49\u6280\u672f\uff0c\u5e76\u53ef\u4f5c\u4e3aWeb\u53d1\u5e03\u548c\u5171\u4eab\u5de5\u4f5c\u533a\u3001\u4f01\u4e1a\u534f\u4f5c\u5e73\u53f0\u3001\u793e\u4ea4\u7f51\u7edc\u7b49\u3002Liferay DXP\u662f\u4e00\u5957\u6570\u5b57\u5316\u4f53\u9a8c\u534f\u4f5c\u5e73\u53f0\u3002\n\nLiferay Portal\u548cLiferay DXP\u5b58\u5728\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u201c\u91cd\u5b9a\u5411\u201d\u53c2\u6570\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u4efb\u610f\u5916\u90e8url\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-62972",
  "openTime": "2021-08-18",
  "patchDescription": "Liferay Portal\u548cLiferay DXP\u90fd\u662f\u7f8e\u56fdLiferay\u516c\u53f8\u7684\u4ea7\u54c1\u3002Liferay Portal\u662f\u4e00\u5957\u57fa\u4e8eJ2EE\u7684\u95e8\u6237\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u4f7f\u7528\u4e86EJB\u4ee5\u53caJMS\u7b49\u6280\u672f\uff0c\u5e76\u53ef\u4f5c\u4e3aWeb\u53d1\u5e03\u548c\u5171\u4eab\u5de5\u4f5c\u533a\u3001\u4f01\u4e1a\u534f\u4f5c\u5e73\u53f0\u3001\u793e\u4ea4\u7f51\u7edc\u7b49\u3002Liferay DXP\u662f\u4e00\u5957\u6570\u5b57\u5316\u4f53\u9a8c\u534f\u4f5c\u5e73\u53f0\u3002\r\n\r\nLiferay Portal\u548cLiferay DXP\u5b58\u5728\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u201c\u91cd\u5b9a\u5411\u201d\u53c2\u6570\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u4efb\u610f\u5916\u90e8url\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Liferay Portal\u548cLiferay DXP\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Liferay Liferay DXP \u003c7.1 fix pack 19",
      "Liferay Liferay DXP \u003c7.2 fix pack 8",
      "Liferay Liferay Portal \u003e=7.0.0\uff0c\u003c=7.3.1",
      "Liferay Liferay DXP \u003c7.0 fix pack 94"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-33331",
  "serverity": "\u4e2d",
  "submitTime": "2021-08-05",
  "title": "Liferay Portal\u548cLiferay DXP\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e"
}

CVE-2021-33331 (GCVE-0-2021-33331)

Vulnerability from cvelistv5

Published

2021-08-03 20:43

Modified

2024-08-03 23:50

Severity ?

CWE

Summary

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.

References

▼	URL	Tags
	https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627	x_refsource_CONFIRM
	https://issues.liferay.com/browse/LPE-17022	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:50:41.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.liferay.com/browse/LPE-17022"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the \u0027redirect\u0027 parameter."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-03T20:43:55",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.liferay.com/browse/LPE-17022"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-33331",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the \u0027redirect\u0027 parameter."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627",
              "refsource": "CONFIRM",
              "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
            },
            {
              "name": "https://issues.liferay.com/browse/LPE-17022",
              "refsource": "CONFIRM",
              "url": "https://issues.liferay.com/browse/LPE-17022"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-33331",
    "datePublished": "2021-08-03T20:43:55",
    "dateReserved": "2021-05-20T00:00:00",
    "dateUpdated": "2024-08-03T23:50:41.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted