com.liferay.portal:com.liferay.portal.kernel 4.106.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.liferay.portal:com.liferay.portal.kernel package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `SessionClicks` class. An attacker can exhaust system memory by sending crafted HTTP requests that cause excessive request parameters to be stored in the HTTP session. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 38.0.0 or higher.	[,38.0.0)
M Observable Discrepancy Affected versions of this package are vulnerable to Observable Discrepancy due to the handling of different responses based on site existence or user permissions. An attacker can discover the existence of sites by enumerating URLs. Note: This is only exploitable if `locale.prepend.friendly.url.style=2` and if a custom 404 page is used. How to fix Observable Discrepancy? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 12.0.0 or higher.	[,12.0.0)
L Access Control Bypass Affected versions of this package are vulnerable to Access Control Bypass due to unauthorized access to object definition via search. The Object module does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. How to fix Access Control Bypass? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 94.0.0 or higher.	[,94.0.0)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the SessionClicks class. An attacker can exhaust system memory by sending crafted HTTP requests that cause excessive request parameters to be stored in the HTTP session.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 38.0.0 or higher.

[,38.0.0)

Observable Discrepancy

Affected versions of this package are vulnerable to Observable Discrepancy due to the handling of different responses based on site existence or user permissions. An attacker can discover the existence of sites by enumerating URLs.

Note:

This is only exploitable if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

How to fix Observable Discrepancy?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 12.0.0 or higher.

[,12.0.0)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass due to unauthorized access to object definition via search. The Object module does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

How to fix Access Control Bypass?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 94.0.0 or higher.

[,94.0.0)

com.liferay.portal:com.liferay.portal.kernel@4.106.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?