GHSA-2mx7-xvfg-fg53

Source

https://github.com/advisories/GHSA-2mx7-xvfg-fg53

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2mx7-xvfg-fg53

Aliases

CVE-2023-47798

Published

2024-02-08T03:32:45Z

Modified

2024-10-03T18:45:33.889285Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Liferay Portal's account lockout does not invalidate existing user sessions

Details

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Database specific

{
    "nvd_published_at": "2024-02-08T03:15:07Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T18:25:35Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0

Fixed

7.3.1

Affected versions

7.*

7.2.0

7.2.1

7.2.1-1

7.3.0

7.3.0-1

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0

Fixed

7.2.10.fp5

Affected versions

7.*

7.2.1

7.2.10

7.2.10.fp1

7.2.10.fp1-1

7.2.10.fp2

7.2.10.fp3

7.2.10.fp4