CVE-2021-33330 in Liferayinfo

Summary

by MITRE • 08/03/2021

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/14/2025

The vulnerability CVE-2021-33330 represents a critical security flaw in Liferay Portal and Liferay DXP platforms that undermines the fundamental security mechanisms designed to protect cross-origin resource sharing. This issue affects versions 7.2.0 through 7.3.2 of Liferay Portal and Liferay DXP 7.2 before fix pack 9, creating a significant risk for organizations relying on these platforms for enterprise web applications. The flaw specifically targets the authentication and authorization mechanisms that should prevent unauthorized access to sensitive resources, particularly those protected by CORS policies.

The technical root cause of this vulnerability lies in the improper handling of authentication state within the CORS framework. When users authenticate through the portal session authentication mechanism, the system fails to adequately validate whether the requesting origin has proper authorization to access protected resources. This authentication bypass allows malicious actors to exploit the session state to gain access to sensitive information that should normally be restricted to authorized origins only. The vulnerability specifically enables access to user-specific data including email addresses and CSRF tokens, which are critical components for maintaining application security and user privacy.

The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a pathway for sophisticated attacks that could lead to session hijacking, privilege escalation, and further exploitation of the targeted systems. Attackers can leverage this flaw to construct targeted attacks against specific users within the organization, potentially leading to account takeover scenarios. The exposure of CSRF tokens particularly undermines the security of the application's anti-forgery protection mechanisms, making it possible for attackers to craft malicious requests that appear legitimate to the server. This vulnerability directly violates the principle of least privilege and demonstrates a failure in the security boundary enforcement that should exist between different origins.

Organizations affected by this vulnerability should immediately implement mitigations including applying the vendor-provided security patches, configuring proper CORS policies, and implementing additional authentication controls. The issue aligns with CWE-346, which addresses "Origin Validation Error," and represents a clear violation of the security principle that access controls should be enforced regardless of the authentication method used. From an ATT&CK framework perspective, this vulnerability maps to T1566, specifically targeting credential access through social engineering, and T1071, focusing on application layer protocols, as attackers can exploit the CORS configuration to access protected resources. Organizations should also consider implementing additional monitoring and logging to detect unauthorized access attempts and establish more robust session management policies to prevent similar vulnerabilities in the future.

Reservation

05/20/2021

Disclosure

08/03/2021

Moderation

accepted

CPE

ready

EPSS

0.01122

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!