What is the severity of CVE-2024-38002?

CVE-2024-38002 has been rated as a critical severity vulnerability due to its potential for exploitation allowing unauthorized modifications.

How do I fix CVE-2024-38002?

To fix CVE-2024-38002, upgrade your Liferay Portal or Liferay DXP installation to the latest patched version that addresses this vulnerability.

What versions are affected by CVE-2024-38002?

CVE-2024-38002 affects Liferay Portal versions from 7.3.2 to 7.4.3.111 and specific versions of Liferay DXP 2023.

What type of vulnerability is CVE-2024-38002?

CVE-2024-38002 is a permissions-related vulnerability in the workflow component of Liferay applications.

Can CVE-2024-38002 lead to unauthorized access?

Yes, CVE-2024-38002 could potentially allow remote authenticated users to modify workflow definitions without proper permissions.

Vulnerability/
CVE-2024-38002

critical

CWE

863

22/10/2024

10/12/2024

CVE-2024-38002

First published: Tue Oct 22 2024(Updated: )

The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

Credit: security@liferay.com

Affected Software	Affected Version	How to fix
Liferay 7.4 GA	>=2023.q3.1<2023.q3.9
Liferay 7.4 GA	>=2023.q4.0<2023.q4.6
Liferay 7.4 GA	=7.3
Liferay 7.4 GA	=7.3-fix_pack_1
Liferay 7.4 GA	=7.3-fix_pack_2
Liferay 7.4 GA	=7.3-service_pack_1
Liferay 7.4 GA	=7.3-service_pack_3
Liferay 7.4 GA	=7.3-update10
Liferay 7.4 GA	=7.3-update11
Liferay 7.4 GA	=7.3-update12
Liferay 7.4 GA	=7.3-update13
Liferay 7.4 GA	=7.3-update14
Liferay 7.4 GA	=7.3-update15
Liferay 7.4 GA	=7.3-update16
Liferay 7.4 GA	=7.3-update17
Liferay 7.4 GA	=7.3-update18
Liferay 7.4 GA	=7.3-update19
Liferay 7.4 GA	=7.3-update20
Liferay 7.4 GA	=7.3-update21
Liferay 7.4 GA	=7.3-update22
Liferay 7.4 GA	=7.3-update23
Liferay 7.4 GA	=7.3-update24
Liferay 7.4 GA	=7.3-update25
Liferay 7.4 GA	=7.3-update26
Liferay 7.4 GA	=7.3-update27
Liferay 7.4 GA	=7.3-update28
Liferay 7.4 GA	=7.3-update29
Liferay 7.4 GA	=7.3-update30
Liferay 7.4 GA	=7.3-update31
Liferay 7.4 GA	=7.3-update32
Liferay 7.4 GA	=7.3-update33
Liferay 7.4 GA	=7.3-update34
Liferay 7.4 GA	=7.3-update35
Liferay 7.4 GA	=7.3-update36
Liferay 7.4 GA	=7.3-update4
Liferay 7.4 GA	=7.3-update5
Liferay 7.4 GA	=7.3-update6
Liferay 7.4 GA	=7.3-update7
Liferay 7.4 GA	=7.3-update8
Liferay 7.4 GA	=7.3-update9
Liferay 7.4 GA	=7.4
Liferay 7.4 GA	=7.4-update1
Liferay 7.4 GA	=7.4-update10
Liferay 7.4 GA	=7.4-update11
Liferay 7.4 GA	=7.4-update12
Liferay 7.4 GA	=7.4-update13
Liferay 7.4 GA	=7.4-update14
Liferay 7.4 GA	=7.4-update15
Liferay 7.4 GA	=7.4-update16
Liferay 7.4 GA	=7.4-update17
Liferay 7.4 GA	=7.4-update18
Liferay 7.4 GA	=7.4-update19
Liferay 7.4 GA	=7.4-update2
Liferay 7.4 GA	=7.4-update20
Liferay 7.4 GA	=7.4-update21
Liferay 7.4 GA	=7.4-update22
Liferay 7.4 GA	=7.4-update23
Liferay 7.4 GA	=7.4-update24
Liferay 7.4 GA	=7.4-update25
Liferay 7.4 GA	=7.4-update26
Liferay 7.4 GA	=7.4-update27
Liferay 7.4 GA	=7.4-update28
Liferay 7.4 GA	=7.4-update29
Liferay 7.4 GA	=7.4-update3
Liferay 7.4 GA	=7.4-update30
Liferay 7.4 GA	=7.4-update31
Liferay 7.4 GA	=7.4-update32
Liferay 7.4 GA	=7.4-update33
Liferay 7.4 GA	=7.4-update34
Liferay 7.4 GA	=7.4-update35
Liferay 7.4 GA	=7.4-update36
Liferay 7.4 GA	=7.4-update37
Liferay 7.4 GA	=7.4-update38
Liferay 7.4 GA	=7.4-update39
Liferay 7.4 GA	=7.4-update4
Liferay 7.4 GA	=7.4-update40
Liferay 7.4 GA	=7.4-update41
Liferay 7.4 GA	=7.4-update42
Liferay 7.4 GA	=7.4-update43
Liferay 7.4 GA	=7.4-update44
Liferay 7.4 GA	=7.4-update45
Liferay 7.4 GA	=7.4-update46
Liferay 7.4 GA	=7.4-update47
Liferay 7.4 GA	=7.4-update48
Liferay 7.4 GA	=7.4-update49
Liferay 7.4 GA	=7.4-update5
Liferay 7.4 GA	=7.4-update50
Liferay 7.4 GA	=7.4-update51
Liferay 7.4 GA	=7.4-update52
Liferay 7.4 GA	=7.4-update53
Liferay 7.4 GA	=7.4-update54
Liferay 7.4 GA	=7.4-update55
Liferay 7.4 GA	=7.4-update56
Liferay 7.4 GA	=7.4-update57
Liferay 7.4 GA	=7.4-update58
Liferay 7.4 GA	=7.4-update59
Liferay 7.4 GA	=7.4-update6
Liferay 7.4 GA	=7.4-update60
Liferay 7.4 GA	=7.4-update61
Liferay 7.4 GA	=7.4-update62
Liferay 7.4 GA	=7.4-update63
Liferay 7.4 GA	=7.4-update64
Liferay 7.4 GA	=7.4-update65
Liferay 7.4 GA	=7.4-update66
Liferay 7.4 GA	=7.4-update67
Liferay 7.4 GA	=7.4-update68
Liferay 7.4 GA	=7.4-update69
Liferay 7.4 GA	=7.4-update7
Liferay 7.4 GA	=7.4-update70
Liferay 7.4 GA	=7.4-update71
Liferay 7.4 GA	=7.4-update72
Liferay 7.4 GA	=7.4-update73
Liferay 7.4 GA	=7.4-update74
Liferay 7.4 GA	=7.4-update75
Liferay 7.4 GA	=7.4-update76
Liferay 7.4 GA	=7.4-update77
Liferay 7.4 GA	=7.4-update78
Liferay 7.4 GA	=7.4-update79
Liferay 7.4 GA	=7.4-update8
Liferay 7.4 GA	=7.4-update80
Liferay 7.4 GA	=7.4-update81
Liferay 7.4 GA	=7.4-update82
Liferay 7.4 GA	=7.4-update83
Liferay 7.4 GA	=7.4-update84
Liferay 7.4 GA	=7.4-update85
Liferay 7.4 GA	=7.4-update86
Liferay 7.4 GA	=7.4-update87
Liferay 7.4 GA	=7.4-update88
Liferay 7.4 GA	=7.4-update89
Liferay 7.4 GA	=7.4-update9
Liferay 7.4 GA	=7.4-update90
Liferay 7.4 GA	=7.4-update91
Liferay 7.4 GA	=7.4-update92
Liferay 7.4 GA	>=7.3.2<=7.3.7
Liferay 7.4 GA	>=7.4.0<7.4.3.112

Never miss a vulnerability like this again

Reference Links

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002

Frequently Asked Questions

What is the severity of CVE-2024-38002?
CVE-2024-38002 has been rated as a critical severity vulnerability due to its potential for exploitation allowing unauthorized modifications.
How do I fix CVE-2024-38002?
To fix CVE-2024-38002, upgrade your Liferay Portal or Liferay DXP installation to the latest patched version that addresses this vulnerability.
What versions are affected by CVE-2024-38002?
CVE-2024-38002 affects Liferay Portal versions from 7.3.2 to 7.4.3.111 and specific versions of Liferay DXP 2023.
What type of vulnerability is CVE-2024-38002?
CVE-2024-38002 is a permissions-related vulnerability in the workflow component of Liferay applications.
Can CVE-2024-38002 lead to unauthorized access?
Yes, CVE-2024-38002 could potentially allow remote authenticated users to modify workflow definitions without proper permissions.

agent/weakness
agent/references
agent/type
agent/description
agent/first-publish-date
agent/author
agent/event
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/liferay
canonical/liferay 7.4 ga
version/liferay 7.4 ga/2023.q3.1
version/liferay 7.4 ga/2023.q4.0
version/liferay 7.4 ga/7.3
version/liferay 7.4 ga/7.3-fix_pack_1
version/liferay 7.4 ga/7.3-fix_pack_2
version/liferay 7.4 ga/7.3-service_pack_1
version/liferay 7.4 ga/7.3-service_pack_3
version/liferay 7.4 ga/7.3-update10
version/liferay 7.4 ga/7.3-update11
version/liferay 7.4 ga/7.3-update12
version/liferay 7.4 ga/7.3-update13
version/liferay 7.4 ga/7.3-update14
version/liferay 7.4 ga/7.3-update15
version/liferay 7.4 ga/7.3-update16
version/liferay 7.4 ga/7.3-update17
version/liferay 7.4 ga/7.3-update18
version/liferay 7.4 ga/7.3-update19
version/liferay 7.4 ga/7.3-update20
version/liferay 7.4 ga/7.3-update21
version/liferay 7.4 ga/7.3-update22
version/liferay 7.4 ga/7.3-update23
version/liferay 7.4 ga/7.3-update24
version/liferay 7.4 ga/7.3-update25
version/liferay 7.4 ga/7.3-update26
version/liferay 7.4 ga/7.3-update27
version/liferay 7.4 ga/7.3-update28
version/liferay 7.4 ga/7.3-update29
version/liferay 7.4 ga/7.3-update30
version/liferay 7.4 ga/7.3-update31
version/liferay 7.4 ga/7.3-update32
version/liferay 7.4 ga/7.3-update33
version/liferay 7.4 ga/7.3-update34
version/liferay 7.4 ga/7.3-update35
version/liferay 7.4 ga/7.3-update36
version/liferay 7.4 ga/7.3-update4
version/liferay 7.4 ga/7.3-update5
version/liferay 7.4 ga/7.3-update6
version/liferay 7.4 ga/7.3-update7
version/liferay 7.4 ga/7.3-update8
version/liferay 7.4 ga/7.3-update9
version/liferay 7.4 ga/7.4
version/liferay 7.4 ga/7.4-update1
version/liferay 7.4 ga/7.4-update10
version/liferay 7.4 ga/7.4-update11
version/liferay 7.4 ga/7.4-update12
version/liferay 7.4 ga/7.4-update13
version/liferay 7.4 ga/7.4-update14
version/liferay 7.4 ga/7.4-update15
version/liferay 7.4 ga/7.4-update16
version/liferay 7.4 ga/7.4-update17
version/liferay 7.4 ga/7.4-update18
version/liferay 7.4 ga/7.4-update19
version/liferay 7.4 ga/7.4-update2
version/liferay 7.4 ga/7.4-update20
version/liferay 7.4 ga/7.4-update21
version/liferay 7.4 ga/7.4-update22
version/liferay 7.4 ga/7.4-update23
version/liferay 7.4 ga/7.4-update24
version/liferay 7.4 ga/7.4-update25
version/liferay 7.4 ga/7.4-update26
version/liferay 7.4 ga/7.4-update27
version/liferay 7.4 ga/7.4-update28
version/liferay 7.4 ga/7.4-update29
version/liferay 7.4 ga/7.4-update3
version/liferay 7.4 ga/7.4-update30
version/liferay 7.4 ga/7.4-update31
version/liferay 7.4 ga/7.4-update32
version/liferay 7.4 ga/7.4-update33
version/liferay 7.4 ga/7.4-update34
version/liferay 7.4 ga/7.4-update35
version/liferay 7.4 ga/7.4-update36
version/liferay 7.4 ga/7.4-update37
version/liferay 7.4 ga/7.4-update38
version/liferay 7.4 ga/7.4-update39
version/liferay 7.4 ga/7.4-update4
version/liferay 7.4 ga/7.4-update40
version/liferay 7.4 ga/7.4-update41
version/liferay 7.4 ga/7.4-update42
version/liferay 7.4 ga/7.4-update43
version/liferay 7.4 ga/7.4-update44
version/liferay 7.4 ga/7.4-update45
version/liferay 7.4 ga/7.4-update46
version/liferay 7.4 ga/7.4-update47
version/liferay 7.4 ga/7.4-update48
version/liferay 7.4 ga/7.4-update49
version/liferay 7.4 ga/7.4-update5
version/liferay 7.4 ga/7.4-update50
version/liferay 7.4 ga/7.4-update51
version/liferay 7.4 ga/7.4-update52
version/liferay 7.4 ga/7.4-update53
version/liferay 7.4 ga/7.4-update54
version/liferay 7.4 ga/7.4-update55
version/liferay 7.4 ga/7.4-update56
version/liferay 7.4 ga/7.4-update57
version/liferay 7.4 ga/7.4-update58
version/liferay 7.4 ga/7.4-update59
version/liferay 7.4 ga/7.4-update6
version/liferay 7.4 ga/7.4-update60
version/liferay 7.4 ga/7.4-update61
version/liferay 7.4 ga/7.4-update62
version/liferay 7.4 ga/7.4-update63
version/liferay 7.4 ga/7.4-update64
version/liferay 7.4 ga/7.4-update65
version/liferay 7.4 ga/7.4-update66
version/liferay 7.4 ga/7.4-update67
version/liferay 7.4 ga/7.4-update68
version/liferay 7.4 ga/7.4-update69
version/liferay 7.4 ga/7.4-update7
version/liferay 7.4 ga/7.4-update70
version/liferay 7.4 ga/7.4-update71
version/liferay 7.4 ga/7.4-update72
version/liferay 7.4 ga/7.4-update73
version/liferay 7.4 ga/7.4-update74
version/liferay 7.4 ga/7.4-update75
version/liferay 7.4 ga/7.4-update76
version/liferay 7.4 ga/7.4-update77
version/liferay 7.4 ga/7.4-update78
version/liferay 7.4 ga/7.4-update79
version/liferay 7.4 ga/7.4-update8
version/liferay 7.4 ga/7.4-update80
version/liferay 7.4 ga/7.4-update81
version/liferay 7.4 ga/7.4-update82
version/liferay 7.4 ga/7.4-update83
version/liferay 7.4 ga/7.4-update84
version/liferay 7.4 ga/7.4-update85
version/liferay 7.4 ga/7.4-update86
version/liferay 7.4 ga/7.4-update87
version/liferay 7.4 ga/7.4-update88
version/liferay 7.4 ga/7.4-update89
version/liferay 7.4 ga/7.4-update9
version/liferay 7.4 ga/7.4-update90
version/liferay 7.4 ga/7.4-update91
version/liferay 7.4 ga/7.4-update92
version/liferay 7.4 ga/7.3.2
version/liferay 7.4 ga/7.3.7
version/liferay 7.4 ga/7.4.0