CVE-2023-33946
Liferay portal unauthorized access to objects via OAuth 2 scope
4.3
MEDIUM
CVSS 3.1
EPSS 0.28%
Description
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
How to fix CVE-2023-33946
To remediate CVE-2023-33946, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 7.4.3.49 or later
Is CVE-2023-33946 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.4.0, <= 7.4.0 | >= 7.4-update1.0, <= 7.4-update1.0, >= 7.4-update34.0, <= 7.4-update34.0, >= 7.4-update36.0, <= 7.4-update36.0
- >= 7.4.3.4, < 7.4.3.49
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |