-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability stems from two key behaviors: 1) Site resolution logic leaks existence information via response discrepancies, and 2) Error handling fails to unify responses for 'site not found' and 'unauthorized access' cases. The SiteFriendlyURLResolver.resolve() method is central to URL-to-site mapping and would directly expose existence information through its return paths. StrutsPortletResponse.handlePortalException() controls error rendering and would differentiate between missing resources and permission issues. Both functions are implicated by the described attack vector (URL enumeration via response differences) and configuration requirements (locale.prepend.friendly.url.style=2 + custom 404).
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.portal:release.portal.bom | maven | >= 7.2.0, < 7.4.2 | 7.4.2 |
| com.liferay.portal:release.dxp.bom | maven | >= 7.3.0, < 7.3.10.u4 | 7.3.10.u4 |
| com.liferay.portal:release.dxp.bom |
| maven |
| >= 7.2.0, < 7.2.10.fp18 |
| 7.2.10.fp18 |
Ongoing coverage of React2Shell