CVE-2021-33327 — Liferay Portal and Liferay DXP does not properly check user permission

Description

The Portlet Configuration module before 4.0.13 in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.

How to fix CVE-2021-33327

To remediate CVE-2021-33327, upgrade the affected package to a fixed version below.

—upgrade to 4.0.13 or later
—upgrade to 7.0.10.fp95 or later

Is CVE-2021-33327 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.13
>= 7.0.10.fp93, < 7.0.10.fp95

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33327
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/44317eb5274d24bb91c43c91cd5c678392eb9eeb
WEBgithub.com/liferay/liferay-portal/commit/9e1628110ca5f0b7b867e1f55e3886c92fc67ca1