[LPE-17111] LSV-696: Overly verbose JSON web services errors - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Security Vulnerability, Web Services > JSON WS
Labels:

CVE IDs:
CVE-2021-29040
CVSS Base Score:
4.3
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.0 Fix Pack Version:
97
7.1 Fix Pack Version:
20
7.2 Fix Pack Version:
10

Description

In Liferay DXP 7.0, 7.1 and 7.2, the JSON web service may contain overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks.

Affected Version(s):

Vulnerable	Not vulnerable
6.2.10 + portal-172
7.0.10 + de-92
7.1.3
7.1.10 + dxp-17
7.2.1
7.2.10 + dxp-5
7.3.2	7.3.5
	7.3.10

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Oct/20 12:40 PM

Updated:: 09/Apr/21 5:36 AM

Resolved:: 15/Dec/20 5:40 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE