CVE-2021-29040 — Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages

Description

The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.

How to fix CVE-2021-29040

To remediate CVE-2021-29040, upgrade the affected package to a fixed version below.

—upgrade to 7.0.10.fp97 or later
—upgrade to 7.3.5 or later

Is CVE-2021-29040 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.0.10.fp97
from 0, < 7.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29040
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429