CVE-2025-3586

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-3586

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3586.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-3586

Aliases

GHSA-m5gv-vj3f-6v2p

Published

2025-09-01T18:15:29.127Z

Modified

2025-12-14T04:43:50.377328Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions.

In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses.

Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3586

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

c2feef5096d24a92c4d96bedecfdd8767947d6c2

Fixed

abb6bed96fbe35f8de82c4a9ef60a4277a614218

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3586.json"