CVE-2020-15840 in Liferay Portal
Summary
by MITRE
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/14/2025
The vulnerability identified as CVE-2020-15840 affects multiple versions of Liferay Portal and Liferay Digital Experience Platform, specifically targeting the security controls designed to prevent unauthorized access to portlet resources. This issue represents a critical bypass of access control mechanisms that should restrict path traversal and resource access within the portal environment. The flaw resides in how the system processes URL encoding and validation for portlet resource identifiers, creating a pathway for malicious actors to circumvent intended security boundaries.
The technical implementation of this vulnerability stems from improper validation of URL-encoded paths within the 'portlet.resource.id.banned.paths.regexp' property. This configuration parameter is intended to define regular expressions that block access to sensitive paths within the portal's resource hierarchy. However, attackers can exploit the system's handling of double-encoded URLs to bypass these restrictions, effectively allowing unauthorized access to portlet resources that should remain protected. The bypass occurs because the validation logic does not properly account for multiple layers of URL encoding that can obscure the true nature of the requested resource path.
The operational impact of this vulnerability extends beyond simple access control bypass, as it can enable attackers to perform unauthorized operations within the portal environment. Successful exploitation allows threat actors to access restricted portlet resources, potentially leading to data exposure, privilege escalation, or further compromise of the portal infrastructure. The vulnerability affects both community and enterprise editions of Liferay Portal, making it particularly concerning given the widespread adoption of these platforms across enterprise environments. Security researchers have noted that this type of bypass can be particularly dangerous in environments where the portal serves as a central hub for business-critical applications and data access.
Organizations affected by this vulnerability should prioritize immediate remediation through the application of vendor-provided patches and updates. The recommended mitigation strategy includes upgrading to Liferay Portal 7.3.1 or later versions where this bypass has been addressed. Additionally, security teams should review their current configuration of the 'portlet.resource.id.banned.paths.regexp' property to ensure that it properly accounts for encoded paths and consider implementing additional monitoring for suspicious URL patterns. This vulnerability aligns with CWE-20 Improper Input Validation and can be categorized under ATT&CK technique T1078 Valid Accounts, as it allows for unauthorized access to portal resources through bypass mechanisms rather than direct credential compromise.
The broader implications of this vulnerability highlight the importance of proper input validation and encoding handling in web application security frameworks. Organizations should implement comprehensive security testing procedures that specifically target URL encoding behaviors and access control bypass scenarios. This includes regular security assessments of portal configurations and validation of security controls against known attack patterns. The vulnerability also underscores the need for defense-in-depth strategies that combine proper access controls with monitoring and detection capabilities to identify potential exploitation attempts.