CST-7205 Unauthenticated Remote code execution via JSONWS

Description

In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).

 

Workaround: Disable JSONWS by setting the portal.property jsonws.servlet.hosts.allowed=Not/Available

Severity

Severity 1

Fixed Version(s)

Notes

This vulnerability has been assigned CVE-2020-7961.

Acknowledgments

This issue was reported by Markus Wulftange

Publication date: Mon, 25 Nov 2019 08:45:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.