First published: Tue Aug 03 2021(Updated: )
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.liferay.portal:release.portal.bom | >=7.2.0<7.3.3 | 7.3.3 |
Liferay DXP | =7.2 | |
Liferay DXP | =7.2-fix_pack_1 | |
Liferay DXP | =7.2-fix_pack_2 | |
Liferay DXP | =7.2-fix_pack_3 | |
Liferay DXP | =7.2-fix_pack_4 | |
Liferay DXP | =7.2-fix_pack_5 | |
Liferay DXP | =7.2-fix_pack_6 | |
Liferay DXP | =7.2-fix_pack_7 | |
Liferay DXP | =7.2-fix_pack_8 | |
Liferay Liferay Portal | >=7.2.0<7.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-33330 is a vulnerability that allows access to Cross-origin resource sharing (CORS) protected resources in Liferay Portal 7.2.0 through 7.3.2 and Liferay DXP 7.2 before fix pack 9 if the user is only authenticated using the portal session authentication.
CVE-2021-33330 has a severity rating of 4.3 (Medium).
To fix CVE-2021-33330, update Liferay Portal to version 7.3.3 or above, or apply fix pack 9 or above for Liferay DXP 7.2.
You can find more information about CVE-2021-33330 on the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2021-33330) and the Liferay Portal Security page (https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720).
There is no known workaround for CVE-2021-33330. It is recommended to apply the necessary patches or updates.