CVE-2021-33335 — Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to

Description

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

How to fix CVE-2021-33335

To remediate CVE-2021-33335, upgrade the affected package to a fixed version below.

—upgrade to 7.1.10.fp20 or later
—upgrade to 7.3.5 or later

Is CVE-2021-33335 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.1.0, < 7.1.10.fp20
>= 7.0.3, < 7.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33335
PATCHgithub.com/liferay/liferay-portal
WEBissues.liferay.com/browse/LPE-17103
WEBweb.archive.org/web/20220828222916/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906