-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.portal.workflow.kaleo.forms.web | maven | < 5.0.29 | 5.0.29 |
Miggo AIRoot Cause AnalysisThe vulnerability, as described, is a Denial of Service (DoS) caused by uncontrolled resource consumption in the Kaleo Forms Admin portlet of Liferay Portal. The core of the issue is the application's failure to restrict which HTTP request parameters are saved into the user's session. An attacker could exploit this by sending a request with a very large number of arbitrary parameters, forcing the server to allocate memory to store them all, eventually leading to memory exhaustion.
The analysis of the provided commits confirms this theory. Specifically, commit 5d62db9d01005fc148297dad37f84660cd8b4a2b directly addresses the vulnerability. The changes in KaleoFormsAdminPortlet.java show the saveInPortletSession method being modified. The original, vulnerable version iterated through all parameter names using resourceRequest.getParameterNames() and saved each one. The patched version replaces this logic with a loop that iterates over a predefined allow-list of parameter names (_parameterNames and localized variants). This ensures that only expected and legitimate parameters are saved to the session, preventing the memory exhaustion attack.
The subsequent commit, 566ba7b48d6e8c62e5da71c34bb56b87183bf503, is a minor refactoring of the fix, which further solidifies the understanding of the patch but does not introduce new vulnerable functions. Therefore, the saveInPortletSession method is confidently identified as the single vulnerable function in the provided patches.