Vulnerabilities > CVE-2020-7961 - Deserialization of Untrusted Data vulnerability in Liferay Portal
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
id | EDB-ID:48332 |
last seen | 2020-04-16 |
modified | 2020-04-16 |
published | 2020-04-16 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48332 |
title | Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit) |
Metasploit
description | This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1. |
id | MSF:EXPLOIT/MULTI/HTTP/LIFERAY_JAVA_UNMARSHALLING |
last seen | 2020-06-14 |
modified | 2020-04-22 |
published | 2020-04-08 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/liferay_java_unmarshalling.rb |
title | Liferay Portal Java Unmarshalling via JSONWS RCE |
Packetstorm
data source | https://packetstormsecurity.com/files/download/157254/liferay_java_unmarshalling.rb.txt |
id | PACKETSTORM:157254 |
last seen | 2020-04-20 |
published | 2020-04-15 |
reporter | Markus Wulftange |
source | https://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html |
title | Liferay Portal Java Unmarshalling Remote Code Execution |
References
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://portal.liferay.dev/learn/security/known-vulnerabilities
- http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/