Description
In Liferay Portal before 7.3.2, the template API does not restrict user access to to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
Workaround: Review users who have permission to add and edit FreeMarker/Velocity templates. Only trusted users should be granted with the necessary permissions to add and edit templates. Reviewing the owners of existing templates may also be necessary as they have full privileges over their given templates.
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.3.2
- June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.
- June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page.
Notes
CVE-2020-13445 has been assigned to this vulnerability.
Acknowledgments
This issue was reported by Alvaro Muñoz (@pwntester)
Publication date: Tue, 09 Jun 2020 02:00:00 +0000