Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.
{
"source": "CPE_STRING",
"cpe": [
"cpe:2.3:a:liferay:liferay_portal:7.1:ga1:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.1.1:ga2:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.1:ga2:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.1:ga3:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.3:ga1:*:*:community:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.3:ga2:*:*:community:*:*:*"
],
"extracted_events": [
{
"introduced": "7.1-ga1"
},
{
"last_affected": "7.1-ga1"
},
{
"introduced": "7.1.1-ga2"
},
{
"last_affected": "7.1.1-ga2"
},
{
"introduced": "7.1-ga2"
},
{
"last_affected": "7.1-ga2"
},
{
"introduced": "7.1-ga3"
},
{
"last_affected": "7.1-ga3"
},
{
"introduced": "7.2-ga1"
},
{
"last_affected": "7.2-ga1"
},
{
"introduced": "7.3-ga1"
},
{
"last_affected": "7.3-ga1"
},
{
"introduced": "7.3-ga2"
},
{
"last_affected": "7.3-ga2"
}
]
}