CVE-2024-38002
Last modified
CVE-2024-38002 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Digital Experience Platform | >= 2023.q3.1, < 2023.q3.9 |
| Liferay | Digital Experience Platform | >= 2023.q4.0, < 2023.q4.6 |
| Liferay | Digital Experience Platform | 7.3 |
| Liferay | Digital Experience Platform | 7.4 |
| Liferay | Liferay Portal | >= 7.3.2, <= 7.3.7 |
| Liferay | Liferay Portal | >= 7.4.0, < 7.4.3.112 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-38002?
How severe is CVE-2024-38002?
How do I fix CVE-2024-38002?
Are you affected by CVE-2024-38002?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST