First published: Mon May 17 2021(Updated: )
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.3 | |
Liferay Liferay Portal | >=7.3.0<=7.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-29052.
The severity of CVE-2021-29052 is medium.
Liferay Portal versions 7.3.0 through 7.3.5, and Liferay DXP version 7.3 before fix pack 1 are affected by CVE-2021-29052.
Remote authenticated users can exploit CVE-2021-29052 by making GET API calls to view DDMStructures without proper permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey.
You can find more information about CVE-2021-29052 on the Liferay website (http://liferay.com) and the Liferay Developer Portal (https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159).