The Test LDAP Users functionality in Liferay Portal 7.0.0 through 220.127.116.11 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
- Liferay Portal 7.0.0 - 7.0.6
- Liferay Portal 7.1.0 - 7.1.3
- Liferay Portal 7.2.0 - 7.2.1
- Liferay Portal 7.3.0 - 7.3.7
- Liferay Portal 7.4.0 - 18.104.22.168
There is no fix available for Liferay Portal 7.0, 7.1, 7.2 and 7.3. Please upgrade to Liferay Portal 22.214.171.124.
Deployments of Liferay Portal not using HTTPS should assume their LDAP credentials has been leaked and should change the LDAP password right away. All deployments of Liferay Portal using LDAP should review the request logs and check if the LDAP password appears in the logs.
Publication date: Wed, 19 Oct 2022 07:35:00 +0000