critical
9
CWE
863
Advisory Published
Updated

CVE-2024-38002

First published: Tue Oct 22 2024(Updated: )

The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

Credit: security@liferay.com

Affected SoftwareAffected VersionHow to fix
Liferay DXP>=2023.q3.1<2023.q3.9
Liferay DXP>=2023.q4.0<2023.q4.6
Liferay DXP=7.3
Liferay DXP=7.3-fix_pack_1
Liferay DXP=7.3-fix_pack_2
Liferay DXP=7.3-service_pack_1
Liferay DXP=7.3-service_pack_3
Liferay DXP=7.3-update10
Liferay DXP=7.3-update11
Liferay DXP=7.3-update12
Liferay DXP=7.3-update13
Liferay DXP=7.3-update14
Liferay DXP=7.3-update15
Liferay DXP=7.3-update16
Liferay DXP=7.3-update17
Liferay DXP=7.3-update18
Liferay DXP=7.3-update19
Liferay DXP=7.3-update20
Liferay DXP=7.3-update21
Liferay DXP=7.3-update22
Liferay DXP=7.3-update23
Liferay DXP=7.3-update24
Liferay DXP=7.3-update25
Liferay DXP=7.3-update26
Liferay DXP=7.3-update27
Liferay DXP=7.3-update28
Liferay DXP=7.3-update29
Liferay DXP=7.3-update30
Liferay DXP=7.3-update31
Liferay DXP=7.3-update32
Liferay DXP=7.3-update33
Liferay DXP=7.3-update34
Liferay DXP=7.3-update35
Liferay DXP=7.3-update36
Liferay DXP=7.3-update4
Liferay DXP=7.3-update5
Liferay DXP=7.3-update6
Liferay DXP=7.3-update7
Liferay DXP=7.3-update8
Liferay DXP=7.3-update9
Liferay DXP=7.4
Liferay DXP=7.4-update1
Liferay DXP=7.4-update10
Liferay DXP=7.4-update11
Liferay DXP=7.4-update12
Liferay DXP=7.4-update13
Liferay DXP=7.4-update14
Liferay DXP=7.4-update15
Liferay DXP=7.4-update16
Liferay DXP=7.4-update17
Liferay DXP=7.4-update18
Liferay DXP=7.4-update19
Liferay DXP=7.4-update2
Liferay DXP=7.4-update20
Liferay DXP=7.4-update21
Liferay DXP=7.4-update22
Liferay DXP=7.4-update23
Liferay DXP=7.4-update24
Liferay DXP=7.4-update25
Liferay DXP=7.4-update26
Liferay DXP=7.4-update27
Liferay DXP=7.4-update28
Liferay DXP=7.4-update29
Liferay DXP=7.4-update3
Liferay DXP=7.4-update30
Liferay DXP=7.4-update31
Liferay DXP=7.4-update32
Liferay DXP=7.4-update33
Liferay DXP=7.4-update34
Liferay DXP=7.4-update35
Liferay DXP=7.4-update36
Liferay DXP=7.4-update37
Liferay DXP=7.4-update38
Liferay DXP=7.4-update39
Liferay DXP=7.4-update4
Liferay DXP=7.4-update40
Liferay DXP=7.4-update41
Liferay DXP=7.4-update42
Liferay DXP=7.4-update43
Liferay DXP=7.4-update44
Liferay DXP=7.4-update45
Liferay DXP=7.4-update46
Liferay DXP=7.4-update47
Liferay DXP=7.4-update48
Liferay DXP=7.4-update49
Liferay DXP=7.4-update5
Liferay DXP=7.4-update50
Liferay DXP=7.4-update51
Liferay DXP=7.4-update52
Liferay DXP=7.4-update53
Liferay DXP=7.4-update54
Liferay DXP=7.4-update55
Liferay DXP=7.4-update56
Liferay DXP=7.4-update57
Liferay DXP=7.4-update58
Liferay DXP=7.4-update59
Liferay DXP=7.4-update6
Liferay DXP=7.4-update60
Liferay DXP=7.4-update61
Liferay DXP=7.4-update62
Liferay DXP=7.4-update63
Liferay DXP=7.4-update64
Liferay DXP=7.4-update65
Liferay DXP=7.4-update66
Liferay DXP=7.4-update67
Liferay DXP=7.4-update68
Liferay DXP=7.4-update69
Liferay DXP=7.4-update7
Liferay DXP=7.4-update70
Liferay DXP=7.4-update71
Liferay DXP=7.4-update72
Liferay DXP=7.4-update73
Liferay DXP=7.4-update74
Liferay DXP=7.4-update75
Liferay DXP=7.4-update76
Liferay DXP=7.4-update77
Liferay DXP=7.4-update78
Liferay DXP=7.4-update79
Liferay DXP=7.4-update8
Liferay DXP=7.4-update80
Liferay DXP=7.4-update81
Liferay DXP=7.4-update82
Liferay DXP=7.4-update83
Liferay DXP=7.4-update84
Liferay DXP=7.4-update85
Liferay DXP=7.4-update86
Liferay DXP=7.4-update87
Liferay DXP=7.4-update88
Liferay DXP=7.4-update89
Liferay DXP=7.4-update9
Liferay DXP=7.4-update90
Liferay DXP=7.4-update91
Liferay DXP=7.4-update92
Liferay 7.4 GA>=7.3.2<=7.3.7
Liferay 7.4 GA>=7.4.0<7.4.3.112

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-38002?

    CVE-2024-38002 has been rated as a critical severity vulnerability due to its potential for exploitation allowing unauthorized modifications.

  • How do I fix CVE-2024-38002?

    To fix CVE-2024-38002, upgrade your Liferay Portal or Liferay DXP installation to the latest patched version that addresses this vulnerability.

  • What versions are affected by CVE-2024-38002?

    CVE-2024-38002 affects Liferay Portal versions from 7.3.2 to 7.4.3.111 and specific versions of Liferay DXP 2023.

  • What type of vulnerability is CVE-2024-38002?

    CVE-2024-38002 is a permissions-related vulnerability in the workflow component of Liferay applications.

  • Can CVE-2024-38002 lead to unauthorized access?

    Yes, CVE-2024-38002 could potentially allow remote authenticated users to modify workflow definitions without proper permissions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203