0

More than 5 years have passed since last update.

@shimizukawasaki(清水川崎)

[漏洞通告]CVE-2020-7961/Liferay Portal JSON Web Service存在未授权反序列化远程代码执行漏洞

Last updated at 2020-03-26Posted at 2020-03-26

漏洞描述

近日,Code White公开了在Liferay Portal中发现的JSON反序列化高危漏洞,未授权的攻击者可以通过精心构造的恶意数据对API接口发起远程代码执行的攻击.
Liferay是一个开源的Portal产品,提供对多个独立系统的内容集成,为企业信息、流程等的整合提供了一套完整的解决方案,和其他商业产品相比,Liferay有着很多优良的特性,而且免费,在全球都有较多用户.

漏洞编号

CVE-2020-7961
LPS-88051/LPE-165981

漏洞威胁等级

高危

影响范围

Liferay Portal 6.1.X
Liferay Portal 6.2.X
Liferay Portal 7.0.X
Liferay Portal 7.1.X
Liferay Portal 7.2.X

漏洞验证

漏洞回显效果如下

修复建议

升级到最新版本

时间轴

[0] 2020/03/20 CodeWhite公开漏洞细节
[1] 2020/03/26 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271

0

Register as a new user and use Qiita more conveniently

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up

0