CVE-2021-33334 — Liferay Portal and Liferay DXP Fails to Properly Check User Permissions

Description

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.

How to fix CVE-2021-33334

To remediate CVE-2021-33334, upgrade the affected package to a fixed version below.

—upgrade to 7.0.10.fp94 or later
—no fix listed

Is CVE-2021-33334 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.0.10.fp0, < 7.0.10.fp94
>= 7.0.0, <= 7.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33334
PATCHgithub.com/liferay/liferay-portal
WEBissues.liferay.com/browse/LPE-17039
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332