CVE-2021-33323 in Liferayinfo

Summary

by MITRE • 08/03/2021

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/14/2025

The vulnerability identified as CVE-2021-33323 resides within the Dynamic Data Mapping module of Liferay Portal and Liferay DXP platforms, presenting a significant security risk through improper access control mechanisms. This issue affects versions ranging from Liferay Portal 7.1.0 through 7.3.2 and specific DXP versions prior to their respective fix packs. The flaw manifests when the system automatically saves form data for users who have not authenticated, creating a scenario where unauthorized parties can access sensitive information simply by viewing the form as an unauthenticated user. This represents a critical breakdown in the platform's data protection architecture, as it violates fundamental security principles of access control and data confidentiality.

The technical implementation of this vulnerability stems from the Dynamic Data Mapping module's failure to properly validate user authentication status before storing and potentially exposing form data. When users interact with forms within the portal, the system maintains autosaved values to improve user experience, but this functionality operates without adequate authentication checks. This creates an attack surface where remote adversaries can exploit the lack of proper access controls to retrieve sensitive data that should only be accessible to authenticated users. The vulnerability specifically targets the autosave functionality, which typically stores user input temporarily to prevent data loss during form completion, but in this case, the saved data remains accessible to anyone who can view the form without authentication.

The operational impact of CVE-2021-33323 extends beyond simple data exposure, as it potentially enables attackers to gather sensitive information from forms that may contain personal data, business-critical information, or other confidential content. This vulnerability aligns with CWE-284, which addresses improper access control, and represents a clear violation of the principle of least privilege. The attack vector is particularly concerning as it requires no authentication credentials, making it accessible to anyone with network access to the vulnerable system. From an attacker's perspective, this vulnerability provides an easy method to harvest data from forms, potentially leading to identity theft, business intelligence gathering, or other malicious activities that could compromise the organization's security posture.

Organizations utilizing affected Liferay versions should immediately implement mitigations including applying the appropriate fix packs mentioned in the vulnerability description, which address the specific authentication bypass issue. Additionally, security teams should conduct comprehensive audits of all Dynamic Data Mapping forms to identify those that may be vulnerable and consider implementing additional access controls or data masking techniques. The remediation approach should align with ATT&CK technique T1078 which addresses valid accounts and T1566 which covers credential harvesting, as this vulnerability essentially enables unauthorized access through the exploitation of legitimate form functionality. Network segmentation and monitoring of form access patterns can help detect potential exploitation attempts, while regular security assessments should verify that the fix has been properly implemented across all affected systems to prevent future incidents.

Reservation

05/20/2021

Disclosure

08/03/2021

Moderation

accepted

CPE

ready

EPSS

0.01028

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!