[LPE-13943] XXE vulnerability in OpenID authentication - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 6.1 EE GA3 (6.1.30), 6.2 EE GA1 (6.2.10)
Fix Version/s: 6.1.X EE, 6.2.X EE
Component/s: Application Security > OpenID, Security Vulnerability
Labels:

Description

Portal use old version of openid4java.jar that is vulnerable to XXE attack. This flaw allows an attacker to read file system, connect to internal systems (SSRF) and perform DoS on portal.

See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-123

Attachments

Activity

People

Assignee:: Steven Smith (Inactive)

Reporter:: Tibor Lipusz

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Jun/15 6:22 AM

Updated:: 04/Jul/19 7:13 AM

Resolved:: 28/Nov/16 11:45 AM

Packages

Version	Package
6.1.X EE
6.2.X EE