-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the logging of sensitive user information (email addresses) during the LDAP import process. The analysis of the provided patch fc14297acd87703ba1027d691fa27a6b96bbb57c clearly shows that the log level for a message containing a user's email address was changed from INFO to DEBUG. This change was made in the _updateUser method of the com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl class. Logging at the INFO level is common in production environments, making the user's email address visible in the logs. By changing the log level to DEBUG, the information is less likely to be exposed in a production setting. Therefore, the _updateUser function is identified as the vulnerable function as it was responsible for logging the sensitive data.
com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl._updateUsermodules/apps/portal-security/portal-security-ldap-impl/src/main/java/com/liferay/portal/security/ldap/internal/exportimport/LDAPUserImporterImpl.java
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.portal.security.ldap.impl | maven | >= 4.0.2, < 4.0.54 | 4.0.54 |
Ongoing coverage of React2Shell