CVE-2023-47798

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798	Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4::::::
	cpe:2.3:a:liferay:liferay_portal::::::::

History

No history.

Information

Published : 2024-02-08 03:15

Updated : 2024-11-21 08:30

NVD link : CVE-2023-47798

Mitre link : CVE-2023-47798

CVE.ORG link : CVE-2023-47798

JSON object : View

Products Affected

liferay

digital_experience_platform
liferay_portal

CWE

CWE-384

Session Fixation

{"id": "CVE-2023-47798", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2024-02-08T03:15:07.367", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798", "tags": ["Vendor Advisory"], "source": "security@liferay.com"}, {"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-384"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."}, {"lang": "es", "value": "El bloqueo de cuentas en Liferay Portal 7.2.0 a 7.3.0 y versiones anteriores no compatibles, y Liferay DXP 7.2 anterior al fixpack 5 y versiones anteriores no compatibles no invalida las sesiones de usuario existentes, lo que permite a los usuarios autenticados remotamente permanecer autenticados despu\u00e9s de que se haya bloqueado una cuenta."}], "lastModified": "2024-11-21T08:30:49.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459", "versionEndExcluding": "7.2"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "219ADF32-211D-463B-8624-C1C521918363", "versionEndExcluding": "7.3.0", "versionStartIncluding": "7.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@liferay.com"}