Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04N20zLTZxajMtcDN4aM4AA5JH
Liferay Portal denial of service (memory consumption)
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
Permalink: https://github.com/advisories/GHSA-87m3-6qj3-p3xhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N20zLTZxajMtcDN4aM4AA5JH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-87m3-6qj3-p3xh, CVE-2024-25143
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-25143
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143
- https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6
- https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145
- https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8
- https://github.com/advisories/GHSA-87m3-6qj3-p3xh
Blast Radius: 9.9
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.2.0, < 7.3.7
Fixed in: 7.3.7
All affected versions: 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.3.7, 7.4.0, 7.4.1, 7.4.2