Description
In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).
Workaround: Disable JSONWS by setting the portal.property jsonws.servlet.hosts.allowed=Not/Available
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.2.1
- March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page.
- March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page.
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Notes
This vulnerability has been assigned CVE-2020-7961.
Acknowledgments
This issue was reported by Markus Wulftange
Publication date: Mon, 25 Nov 2019 08:45:00 +0000