GHSA-87m3-6qj3-p3xh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-87m3-6qj3-p3xh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-87m3-6qj3-p3xh/GHSA-87m3-6qj3-p3xh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-87m3-6qj3-p3xh
- Aliases
- Published
- 2024-02-07T15:30:50Z
- Modified
- 2024-10-02T19:02:15.240772Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Liferay Portal denial of service (memory consumption)
- Details
-
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
- Database specific
{ "nvd_published_at": "2024-02-07T15:15:08Z", "cwe_ids": [ "CWE-400", "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-07T19:32:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-25143
- https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6
- https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145
- https://github.com/liferay/liferay-portal
- https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143
Affected packages
Maven / com.liferay.portal:release.portal.bom
Package
- Name
- com.liferay.portal:release.portal.bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay.portal/release.portal.bom