CVE-2021-29038
Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers
6.3
MEDIUM
CVSS 3.1
EPSS 0.09%
Description
In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
How to fix CVE-2021-29038
To remediate CVE-2021-29038, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.18 or later
- —upgrade to 5.0.33 or later
- —upgrade to 3.0.7 or later
- —upgrade to 5.18.4 or later
- —upgrade to 7.2.10.fp17 or later
Is CVE-2021-29038 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 5.0.18
- from 0, < 5.0.33
- from 0, < 3.0.7
- from 0, < 5.18.4
- from 0, < 7.2.10.fp17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |