CST-7308 'portlet.resource.id.banned.paths.regexp' bypass with doubled encoded URLs

Description

Liferay Portal before 7.3.1 does not decode a URL before determining if the resource should be served, which allows remote attackers to access restricted portlet resources (e.g., files within /META-INF and /WEB-IN) via double encoded URLs.

Severity

Severity 1

Fixed Version(s)

Notes

CVE-2020-15840 has been assigned to this vulnerability.

Publication date: Mon, 31 Aug 2020 17:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.