-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.portal:release.portal.bom | maven | >= 7.4.0-ga1, <= 7.4.3.107-ga107 | 7.4.3.108-ga108 |
| com.liferay.portal:com.liferay.portal.impl | maven | < 96.0.0 | 96.0.0 |
Miggo AIRoot Cause AnalysisThe analysis of the provided security patches, particularly commit 9be57d358ae0f6181a138ce08f52b80e4b14778a, points directly to the doService method within the com.liferay.portal.servlet.ComboServlet class as the source of the vulnerability. The vulnerability is a classic path traversal, where user-supplied input (a file path from the URL) is not sufficiently validated before being used to access resources. The patch explicitly adds sanitization logic by calling a new _canonicalizePath function right before the path is used. This confirms that doService was the function that improperly handled the malicious input. When this vulnerability is exploited, a runtime profiler would capture com.liferay.portal.servlet.ComboServlet.doService in the stack trace as it is the method directly processing the crafted, malicious HTTP request.
JavaJavaOngoing coverage of React2Shell