Description
Liferay Faces Alloy allows attackers to upload very large files which may be used in a denial of service attack in a Servlet (non-Portlet) environment.
Non-Portlet Vulnerability
This vulnerability does not affect portlets using Liferay Faces Alloy. However, a recently discovered and fixed vulnerability causes com.liferay.faces.util.uploadedFileMaxSize to be ignored in a portlet environment as well. For more information see the Faces vulnerability announcement: DoS via large file upload.
Severity
Severity 2
Fixed Version(s)
Notes
To install, remove any old versions of Liferay Faces Alloy and place the fixed version of Liferay Faces Alloy in the appropriate location.
The dependency can be included via Maven, Gradle, or Ivy.
In a Maven project pom.xml <dependencies> section, add the following <dependency>:
<dependency> <groupId>com.liferay.faces</groupId> <artifactId>com.liferay.faces.alloy</artifactId> <version>3.0.2</version> </dependency>
In a Gradle project build.gradle dependencies section, add the following dependency:
compile group: 'com.liferay.faces', name: 'com.liferay.faces.alloy', version: '3.0.2'
In an Ant-Ivy project ivy.xml section, add the following :
<dependency org="com.liferay.faces" name="com.liferay.faces.alloy" rev="3.0.2" />
Publication date: Tue, 27 Aug 2019 21:54:00 +0000