[LPE-17023] Remote code execution (RCE) with FreeMarker/Velocity templates - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Portal Services > Templates Engine, Security Vulnerability
Labels:

Business Value:
5
CVE IDs:
CVE-2020-13445
CVSS Base Score:
9.9
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.0 Fix Pack Version:
92
7.1 Fix Pack Version:
18
7.2 Fix Pack Version:
6

Description

In Liferay DXP 7.0, 7.1 and 7.2, the template API gives users access to sensitive objects, which allows remote authenticated users to execute arbitrary code via FreeMarker and Velocity templates.

See also in Help Center: https://help.liferay.com/hc/en-us/articles/360044036131

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/May/20 8:24 AM

Updated:: 17/Mar/21 3:46 AM

Resolved:: 13/Jul/20 10:48 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE