Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33946: CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope - Liferay

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

CVE
#vulnerability#web#perl#oauth#auth

This website uses cookies to ensure you get the best experience. Learn More.

Accept

  • Ask
  • Blogs
  • Download
  • Feedback
  • Help
  • Learn
  • Projects
  • /dev/24
  • Log In

Known Vulnerabilities

  • Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4

  • Liferay Portal 7.3

  • Liferay Portal 7.2

  • Liferay Portal 7.1

  • Liferay Portal 7.0

  • Liferay Portal 6.2 CE

  • Liferay Faces

  • Liferay DXP 7.4

  • Liferay DXP 7.3

  • Liferay DXP 7.2

  • LIferay DXP 7.1

  • LIferay DXP 7.0

CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope

Description

The Object module in Liferay Portal and Liferay DXP does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

Severity

2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay DXP 7.4 before update 49
  • Liferay Portal 7.4.3.4 - 7.4.3.48

Fixed Version(s)

  • Liferay DXP 7.4 update 49
  • Liferay Portal 7.4.3.49

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay’s enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Related news

GHSA-2868-ff44-43qv: Liferay portal unauthorized access to objects via OAuth 2 scope

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907