CVE-2024-25143
First published: Wed Feb 07 2024(Updated: )
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
Credit: security@liferay.com security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.liferay.portal:release.portal.bom | >=7.2.0<7.3.7 | 7.3.7 |
| Liferay DXP | <7.2 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay 7.4 GA | <7.2.0 | |
| Liferay 7.4 GA | >=7.2.0<=7.2.1 | |
| Liferay 7.4 GA | >=7.3.0<7.3.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143
- https://nvd.nist.gov/vuln/detail/CVE-2024-25143
- https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6
- https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145
- https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8
- https://github.com/advisories/GHSA-87m3-6qj3-p3xh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-25143?
CVE-2024-25143 is considered a high-severity vulnerability due to its potential to allow remote authenticated attackers to cause resource exhaustion.
How do I fix CVE-2024-25143?
To fix CVE-2024-25143, upgrade Liferay Portal to version 7.3.7 or later, or apply the relevant patches for affected versions.
What software is affected by CVE-2024-25143?
CVE-2024-25143 affects Liferay Portal versions 7.2.0 through 7.3.6, and Liferay DXP 7.3 before service pack 3.
Can CVE-2024-25143 be exploited remotely?
Yes, CVE-2024-25143 can be exploited by remote authenticated attackers to affect resource consumption.
Are older versions of Liferay also affected by CVE-2024-25143?
Yes, older unsupported versions of Liferay Portal are also affected by CVE-2024-25143.
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/references
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-87m3-6qj3-p3xh
- alias/CVE-2024-25143
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- package-manager/maven
- vendor/liferay
- canonical/liferay dxp
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- canonical/liferay 7.4 ga
- version/liferay 7.4 ga/7.2.0
- version/liferay 7.4 ga/7.2.1
- version/liferay 7.4 ga/7.3.0