cve-2024-26268
Vulnerability from cvelistv5
Published
2024-02-20 13:17
Modified
2024-08-15 17:50
Severity ?
EPSS score ?
Summary
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:liferay_enterprise_portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "liferay_enterprise_portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.26",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibexa:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "ibexa",
"versions": [
{
"lessThanOrEqual": "7.4.13.u26",
"status": "affected",
"version": "7.4.13",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.10.u7",
"status": "affected",
"version": "7.3.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T16:17:11.147707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:50:15.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.26",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u26",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u7",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Barnab\u00e1s Horv\u00e1th (T4r0)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time."
}
],
"value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T03:50:53.570Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26268",
"datePublished": "2024-02-20T13:17:28.137Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-15T17:50:15.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-26268\",\"sourceIdentifier\":\"security@liferay.com\",\"published\":\"2024-02-20T14:15:09.350\",\"lastModified\":\"2024-11-21T09:02:16.310\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de enumeraci\u00f3n de usuarios en Liferay Portal 7.2.0 a 7.4.3.26 y versiones anteriores no soportadas, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 27, 7.3 antes de la actualizaci\u00f3n 8, 7.2 antes del fixpack 20 y versiones anteriores no soportadas permite a atacantes remotos determinar si una cuenta existen en la aplicaci\u00f3n comparando el tiempo de respuesta de la solicitud.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@liferay.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@liferay.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"references\":[{\"url\":\"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268\",\"source\":\"security@liferay.com\"},{\"url\":\"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.