[LPE-17009] LSV-675: DDMDataProvider API leaks REST data provider password - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Dynamic Data Mapping, Security Vulnerability
Labels:

Business Value:
5
CVE IDs:
CVE-2020-13444
CVSS Base Score:
9.6
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
7.1 Fix Pack Version:
18

Description

The DDMDataProvider API in Liferay DXP 7.0, 7.1 and 7.2 does not sanitize the information returned by the API, which allows remote authenticated users to obtain the password to REST Data Providers.

See also in Help Center: https://help.liferay.com/hc/en-us/articles/360044035911

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 22/Apr/20 1:38 AM

Updated:: 09/Nov/20 11:52 AM

Resolved:: 13/Jul/20 10:49 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE