CVE-2021-29040 — Information Exposure via Error Message in Digital Experience Platform

CWE-209 — Information Exposure via Error Message4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 39.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal

Timeline

PublishedMay 16

Latest updateMay 24

Description

The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.4

▶NVDliferay/digital_experience_platform< 7.0+3

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages↗2022-05-24

▶

OSV

Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages↗2022-05-24

▶

CVEList

CVE-2021-29040: The JSON web services in Liferay Portal 7↗2021-05-16

▶