[LPE-17075] Unauthorized users can view the Guest and User roles - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Application Security > Permissions, Security Vulnerability, User Management
Labels:

CVE IDs:
CVE-2021-33327
CVSS Base Score:
4.3
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.0 Fix Pack Version:
95
7.1 Fix Pack Version:
19
7.2 Fix Pack Version:
8

Description

The portlet configuration module in Liferay DXP 7.0 service pack 93+, 7.1 service pack 18+ and 7.2 does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled. This issue is due to an incomplete fix in ~~LPE-16341~~.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Aug/20 9:20 AM

Updated:: 02/Aug/21 12:01 AM

Resolved:: 15/Sep/20 2:38 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE