Description
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
Severity
8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Affected Version(s)
- Liferay Portal 7.0.0 - 7.0.6
- Liferay Portal 7.1.0 - 7.1.3
- Liferay Portal 7.2.0 - 7.2.1
- Liferay Portal 7.3.0 - 7.3.7
- Liferay Portal 7.4.0 - 7.4.3.4
Fixed Version(s)
There is no fix available for Liferay Portal 7.0, 7.1, 7.2 and 7.3. Please upgrade to Liferay Portal 7.4.
Notes
Deployments of Liferay Portal not using HTTPS should assume their LDAP credentials has been leaked and should change the LDAP password right away. All deployments of Liferay Portal using LDAP should review the request logs and check if the LDAP password appears in the logs.
Publication date: Wed, 19 Oct 2022 07:35:00 +0000