CVE-2024-25143

EPSS 0.75%
Published 07.02.2024 15:15:08
Last modified 21.11.2024 09:00:20
Source security@liferay.com
Teams watchlist Login
Open Login

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Liferay ≫ Digital Experience Platform Version < 7.2

Liferay ≫ Digital Experience Platform Version7.2 Update-

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_1

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_10

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_11

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_12

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_2

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_3

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_4

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_5

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_6

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_7

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_8

Liferay ≫ Digital Experience Platform Version7.2 Updatefix_pack_9

Liferay ≫ Digital Experience Platform Version7.3 Update-

Liferay ≫ Digital Experience Platform Version7.3 Updatefix_pack_1

Liferay ≫ Liferay Portal Version < 7.2.0

Liferay ≫ Liferay Portal Version >= 7.2.0 <= 7.2.1

Liferay ≫ Liferay Portal Version >= 7.3.0 < 7.3.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.75%	0.717

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security@liferay.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-25143

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25143

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25143

EUVD