CVE-2024-25143 — Allocation of Resources Without Limits or Throttling in Digital Experience Platform

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 26.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedFeb 7

Description

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDliferay/liferay_portal7.3.0 — 7.3.7+2

▶CVEListV5liferay/portal7.2.0 — 7.3.6

▶NVDliferay/digital_experience_platform< 7.2+2

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-dxp-2+1

🔴Vulnerability Details

OSV

Liferay Portal denial of service (memory consumption)↗2024-02-07

▶

GHSA

Liferay Portal denial of service (memory consumption)↗2024-02-07

▶

CVEList

CVE-2024-25143: The Document and Media widget In Liferay Portal 7↗2024-02-07

▶