Description
Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct port-scanning attacks by specifying a crafted source URL.
Workaround:
Disable pingback from portal.properties using blogs.pingbacks.enabled=false
Severity
Severity 1
Fixed Version(s)
- March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page.
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Acknowledgments
This issue was reported by Christian Mehlmauer
Publication date: Mon, 02 Mar 2020 07:21:00 +0000