Vulnerability Details CVE-2020-7961
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Proposed Action
Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
- http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
Products affected by CVE-2020-7961
-
cpe:2.3:a:liferay:liferay_portal:6.0.0
-
cpe:2.3:a:liferay:liferay_portal:6.0.5
-
cpe:2.3:a:liferay:liferay_portal:6.0.6
-
cpe:2.3:a:liferay:liferay_portal:6.1.0
-
cpe:2.3:a:liferay:liferay_portal:6.1.1
-
cpe:2.3:a:liferay:liferay_portal:6.1.2
-
cpe:2.3:a:liferay:liferay_portal:6.2.0
-
cpe:2.3:a:liferay:liferay_portal:6.2.1
-
cpe:2.3:a:liferay:liferay_portal:6.2.2
-
cpe:2.3:a:liferay:liferay_portal:6.2.3
-
cpe:2.3:a:liferay:liferay_portal:6.2.4
-
cpe:2.3:a:liferay:liferay_portal:6.2.5
-
cpe:2.3:a:liferay:liferay_portal:7.0.0
-
cpe:2.3:a:liferay:liferay_portal:7.0.1
-
cpe:2.3:a:liferay:liferay_portal:7.0.2
-
cpe:2.3:a:liferay:liferay_portal:7.0.3
-
cpe:2.3:a:liferay:liferay_portal:7.0.3_ga4
-
cpe:2.3:a:liferay:liferay_portal:7.0.4
-
cpe:2.3:a:liferay:liferay_portal:7.0.5
-
cpe:2.3:a:liferay:liferay_portal:7.0.6
-
cpe:2.3:a:liferay:liferay_portal:7.1
-
cpe:2.3:a:liferay:liferay_portal:7.1.0
-
cpe:2.3:a:liferay:liferay_portal:7.1.1
-
cpe:2.3:a:liferay:liferay_portal:7.1.2
-
cpe:2.3:a:liferay:liferay_portal:7.1.3
-
cpe:2.3:a:liferay:liferay_portal:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.2.0