CVE-2023-33947
Liferay portal has unauthorized access to object definition via search
4.3
MEDIUM
CVSS 3.1
EPSS 0.27%
Description
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
How to fix CVE-2023-33947
To remediate CVE-2023-33947, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 7.4.3.61 or later
Is CVE-2023-33947 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.4.0, <= 7.4.0 | >= 7.4-update1.0, <= 7.4-update1.0, >= 7.4-update21.0, <= 7.4-update21.0, >= 7.4-update34.0, <= 7.4-update34.0, >= 7.4-update36.0, <= 7.4-update36.0, >= 7.4-update41.0, <= 7.4-update41.0, >= 7.4-update50.0, <= 7.4-update50.0, >= 7.4-update52.0, <= 7.4-update52.0
- >= 7.4.3.4, < 7.4.3.61
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |