CVE-2024-38002 — Missing Authorization in Digital Experience Platform

CWE-862 — Missing Authorization CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGHNVD

CNA9.0

EPSS

4.3%

top 11.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedOct 22

Description

The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.112+1

▶CVEListV5liferay/portal7.3.2 — 7.3.7+1

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.9+3

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u36+3

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions↗2024-10-22

▶

OSV

Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions↗2024-10-22

▶

CVEList

CVE-2024-38002: The workflow component in Liferay Portal 7↗2024-10-22

▶