CVE-2021-33338 in Liferay
Summary
by MITRE • 08/04/2021
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/14/2025
The vulnerability identified as CVE-2021-33338 represents a critical security flaw within the Layout module of Liferay Portal and Liferay DXP platforms. This issue affects versions ranging from Liferay Portal 7.1.0 through 7.3.2, while also impacting Liferay DXP 7.1 before fix pack 19 and 7.2 before fix pack 6. The core problem lies in how the system handles Cross-Site Request Forgery protection mechanisms, specifically exposing sensitive authentication tokens within URL parameters rather than maintaining them securely in HTTP headers or hidden form fields.
The technical implementation flaw occurs when the system incorporates the p_auth parameter directly into URLs for layout rendering and navigation purposes. This design choice fundamentally undermines the security model intended to prevent CSRF attacks by making the authentication token accessible through URL manipulation. When attackers intercept network traffic or perform man-in-the-middle operations, they can extract the p_auth token from URLs and subsequently use it to forge authenticated requests against the vulnerable Liferay instances. This exposure creates a direct pathway for attackers to execute unauthorized actions on behalf of legitimate users, particularly targeting administrative functions and user data modifications.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass comprehensive session hijacking capabilities. Attackers can leverage the exposed CSRF tokens to perform actions such as modifying user permissions, creating new user accounts, accessing restricted content, and executing destructive operations within the portal environment. The vulnerability's persistence across multiple versions indicates a fundamental architectural issue that affects the core security framework of these platforms, potentially compromising thousands of user sessions and administrative functions simultaneously. Organizations utilizing these vulnerable versions face significant risk of unauthorized access and data compromise, particularly in environments where network traffic interception is possible.
Security mitigations for this vulnerability primarily focus on immediate version upgrades to patched releases that address the token exposure issue. Organizations should implement the latest fix packs for their specific Liferay versions, particularly ensuring Liferay DXP 7.1 is updated to fix pack 19 or later, and Liferay DXP 7.2 to fix pack 6 or later. Additionally, network security controls should be enhanced to detect and prevent URL parameter injection attacks, while implementing proper session management policies that do not expose authentication tokens through URL parameters. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and maps to ATT&CK technique T1566.001 for credential access through man-in-the-middle attacks. Organizations should also consider implementing web application firewalls and network monitoring solutions to detect suspicious URL patterns containing authentication tokens, as this represents a critical weakness in the platform's security architecture that requires immediate remediation to prevent exploitation.