CVE-2024-25143

Published: Feb 7, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

Affected (19)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

19 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Before 7.2
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_10
Liferay Digital Experience Platform	Version 7.2 fix_pack_11
Liferay Digital Experience Platform	Version 7.2 fix_pack_12
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Digital Experience Platform	Version 7.2 fix_pack_5
Liferay Digital Experience Platform	Version 7.2 fix_pack_6
Liferay Digital Experience Platform	Version 7.2 fix_pack_7
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Digital Experience Platform	Version 7.2 fix_pack_9
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.3 fix_pack_1
Liferay Liferay Portal	Before 7.2.0
Liferay Liferay Portal	From 7.2.0 to 7.2.1
Liferay Liferay Portal	From 7.3.0 to 7.3.7

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143

Source: security@liferay.com

MitigationVendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.