First published: Wed May 24 2023(Updated: )
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update48 | |
Liferay Digital Experience Platform | =7.4-update76 | |
Liferay Liferay Portal | >=7.4.3.48<=7.4.3.76 | |
maven/com.liferay.portal:release.portal.bom | >=7.4.3.48<7.4.3.77 | 7.4.3.77 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-33950 is a vulnerability that allows remote attackers to consume an excessive amount of server resources in Liferay Portal 7.4.3.48 through 7.4.3.76 and Liferay DXP 7.4 update 48 through 76 using crafted request URLs.
This vulnerability can be exploited by sending crafted request URLs with regular expressions that are vulnerable to ReDoS attacks, causing the server to consume an excessive amount of resources.
CVE-2023-33950 has a severity value of 7, which is considered high.
Liferay Portal versions 7.4.3.48 through 7.4.3.76 and Liferay DXP versions 7.4 update 48 through 76 are affected by CVE-2023-33950.
To fix CVE-2023-33950, upgrade to Liferay Portal version 7.4.3.77 or higher and Liferay DXP version 7.4 update 77 or higher.