What is the severity of CVE-2019-11444?

CVE-2019-11444 is disputed, but it relates to potential remote command execution vulnerabilities that can be exploited by attackers.

How does CVE-2019-11444 allow execution of OS commands?

CVE-2019-11444 allows execution of OS commands through Liferay's Groovy script console using the [command].execute() method.

What version of Liferay Portal is affected by CVE-2019-11444?

CVE-2019-11444 specifically affects Liferay Portal CE version 7.1.2 GA3.

Can I exploit CVE-2019-11444 if I have access to the Groovy script console?

Yes, if an attacker has access to the Groovy script console in Liferay Portal CE 7.1.2 GA3, they can potentially exploit CVE-2019-11444 to execute commands.

How can I mitigate the risks associated with CVE-2019-11444?

To mitigate the risks of CVE-2019-11444, it is recommended to restrict access to the Groovy script console and upgrade to a patched version of Liferay Portal.

Vulnerability/
CVE-2019-11444

critical

CWE

22/4/2019

4/8/2024

CVE-2019-11444: OS Command Injection

First published: Mon Apr 22 2019(Updated: )

** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Liferay 7.4 GA	=7.1.2-ga3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-11444?
CVE-2019-11444 is disputed, but it relates to potential remote command execution vulnerabilities that can be exploited by attackers.
How does CVE-2019-11444 allow execution of OS commands?
CVE-2019-11444 allows execution of OS commands through Liferay's Groovy script console using the [command].execute() method.
What version of Liferay Portal is affected by CVE-2019-11444?
CVE-2019-11444 specifically affects Liferay Portal CE version 7.1.2 GA3.
Can I exploit CVE-2019-11444 if I have access to the Groovy script console?
Yes, if an attacker has access to the Groovy script console in Liferay Portal CE 7.1.2 GA3, they can potentially exploit CVE-2019-11444 to execute commands.
How can I mitigate the risks associated with CVE-2019-11444?
To mitigate the risks of CVE-2019-11444, it is recommended to restrict access to the Groovy script console and upgrade to a patched version of Liferay Portal.

agent/type
agent/author
agent/severity
agent/weakness
agent/references
agent/status
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/first-publish-date
agent/event
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/liferay
canonical/liferay 7.4 ga
version/liferay 7.4 ga/7.1.2-ga3
status/disputed

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.