CVE-2021-33327
Last modified
CVE-2021-33327 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.. EPSS estimates a 0.86% chance of exploitation in the next 30 days.
Description
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Liferay | Digital Experience Platform | 7.0 | Fix Pack 93 |
| Liferay | Digital Experience Platform | 7.1 | Fix Pack 18 |
| Liferay | Digital Experience Platform | 7.2 | — |
| Liferay | Liferay Portal | >= 7.2.0, < 7.3.4 | — |
References
- https://issues.liferay.com/browse/LPE-17075Patch, Vendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840Release Notes, Vendor Advisory
- https://issues.liferay.com/browse/LPE-17075Patch, Vendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-33327?
How severe is CVE-2021-33327?
How do I fix CVE-2021-33327?
Are you affected by CVE-2021-33327?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST