Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yODY4LWZmNDQtNDNxds4AAzdS
Liferay portal unauthorized access to objects via OAuth 2 scope
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
Permalink: https://github.com/advisories/GHSA-2868-ff44-43qvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yODY4LWZmNDQtNDNxds4AAzdS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-2868-ff44-43qv, CVE-2023-33946
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33946
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946
- https://github.com/advisories/GHSA-2868-ff44-43qv
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.4.3.4, < 7.4.3.49
Fixed in: 7.4.3.49
All affected versions:
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2