CVE-2021-29043 — Insufficiently Protected Credentials in Portal

CWE-522 — Insufficiently Protected Credentials CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 57.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform Liferay DXP

Timeline

PublishedMay 17

Latest updateMay 24

Description

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDliferay/liferay_portal7.0.0 — 7.3.5

▶NVDliferay/dxp7.3

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP May Reveal S3 Store's Proxy Password↗2022-05-24

▶

OSV

Liferay Portal and Liferay DXP May Reveal S3 Store's Proxy Password↗2022-05-24

▶

CVEList

CVE-2021-29043: The Portal Store module in Liferay Portal 7↗2021-05-17

▶