CVE-2021-33322 in Liferayinfo

Summary

by MITRE • 08/03/2021

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/14/2025

This vulnerability exists in Liferay Portal and Liferay DXP versions prior to specific fix packs, creating a critical authentication bypass opportunity that directly impacts user account security. The flaw resides in the password reset mechanism where the system fails to invalidate previously generated password reset tokens after a user successfully changes their password through the reset process. This represents a fundamental failure in session management and token lifecycle handling within the authentication system.

The technical implementation of this vulnerability stems from improper token invalidation logic within the password reset workflow. When a user requests a password reset, the system generates a unique token that should be consumed and invalidated upon successful password change. However, the vulnerability allows attackers to reuse the original token even after the user has already changed their password, effectively bypassing the intended security controls. This flaw operates at the application level and specifically targets the password reset functionality, making it particularly dangerous as it can be exploited without requiring prior authentication or knowledge of the user's current password.

The operational impact of this vulnerability is severe and multifaceted, as it enables remote attackers to gain unauthorized control over user accounts. An attacker who obtains a valid password reset token can repeatedly use it to change the target user's password, effectively locking out the legitimate user while gaining persistent access to their account. This creates a persistent security risk that can be exploited across multiple sessions and potentially across different systems if the same token is used for various account recovery mechanisms. The vulnerability directly violates security principles related to token expiration and single-use validation, which are fundamental to maintaining account integrity.

From a cybersecurity perspective, this vulnerability aligns with CWE-613, which addresses insufficient session expiration, and can be categorized under ATT&CK technique T1110.003 for credential access through password reuse. The attack vector is remote and requires only access to a valid password reset token, which may be obtained through various means including phishing attacks, network sniffing, or exploitation of other vulnerabilities that expose tokens. Organizations using affected versions should immediately implement the vendor-provided patches and consider conducting security audits to identify any potential exploitation attempts. Additional mitigations include implementing token rotation mechanisms, monitoring for unusual password reset activities, and ensuring proper session management across all authentication pathways.

The vulnerability demonstrates a critical oversight in the password reset implementation that directly conflicts with established security best practices for token management and authentication lifecycle control. Proper implementation should ensure that password reset tokens are consumed upon first use and invalidated immediately afterward, preventing any possibility of reuse. This issue highlights the importance of comprehensive security testing for authentication mechanisms and the need for regular security updates to address known vulnerabilities in enterprise portal software platforms. Organizations should also consider implementing additional security controls such as multi-factor authentication and enhanced monitoring of authentication activities to reduce the risk exposure associated with such vulnerabilities.

Reservation

05/20/2021

Disclosure

08/03/2021

Moderation

accepted

CPE

ready

EPSS

0.01202

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!