Miggo Logo
Miggo Vulnerability Database
CVE-2020-7961

CVE-2020-7961:
Deserialization of Untrusted Data in Liferay Portal

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7961
GHSA ID
GHSA-w7pm-cc4v-f3g8
EPSS Score
0.99974%
CWE
CWE-502
Published
5/24/2022
Updated
8/28/2024
KEV Status
Yes
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay.portal:com.liferay.portal.kernelmaven< 4.35.34.35.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2020-7961) stems from insecure deserialization in Liferay's JSON web services (JSONWS) endpoint. The core issue lies in how JSON input is converted to Java objects during web service invocation. These two functions are central to the JSONWS request handling process:

  1. JSONWebServiceActionParameters.getParameterValue handles parameter desarshalling
  2. JSONWebServiceActionImpl.execute processes the entire request In vulnerable versions, they allowed deserialization of arbitrary classes via the JSON input, including attacker-controlled gadget chains. The first patched version (7.2.1 CE GA2) likely added validation/type restrictions in these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ri*liz*tion o* Untrust** **t* in Li**r*y Port*l prior to *.*.* ** *** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* JSON w** s*rvi**s (JSONWS).

Reasoning

T** vuln*r**ility (*V*-****-****) st*ms *rom ins**ur* **s*ri*liz*tion in Li**r*y's JSON w** s*rvi**s (JSONWS) *n*point. T** *or* issu* li*s in *ow JSON input is *onv*rt** to J*v* o*j**ts *urin* w** s*rvi** invo**tion. T**s* two *un*tions *r* **ntr*l