CVE-2025-43768 in Liferayinfo

Summary

by MITRE • 08/23/2025

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/13/2025

This vulnerability resides in the Liferay Portal and Liferay DXP platforms where authenticated users can exploit JSONWS APIs to access sensitive administrative information without possessing any specific permissions. The flaw represents a critical authorization bypass issue that undermines the security model of these enterprise portal solutions. The vulnerability affects multiple version ranges including Liferay Portal 7.4.0 through 7.4.3.131 and various Liferay DXP releases from 2024.Q1.1 through 2024.Q4.7. This issue falls under CWE-284 which describes improper access control, specifically allowing unauthorized access to protected resources through API endpoints. The technical implementation appears to lack proper permission validation within the JSONWS service layer where user credentials are accepted but administrative data access is not adequately restricted.

The operational impact of this vulnerability is severe as it enables malicious or compromised authenticated users to extract sensitive information about administrative accounts including user identifiers, roles, and potentially other privileged data. Attackers could leverage this to understand the administrative structure of the portal, identify high-value targets, and potentially escalate their access through further exploitation. The vulnerability exists because the JSONWS APIs do not properly enforce role-based access controls or permission checks before returning administrative user data, creating a significant information disclosure risk. This issue directly maps to ATT&CK technique T1078 which covers valid accounts and T1566 which involves credential harvesting through application vulnerabilities.

Organizations using affected Liferay versions should immediately apply the vendor-provided patches and updates to address this vulnerability. System administrators should conduct thorough audits of their portal configurations to ensure proper role assignments and access controls are in place. Network segmentation and monitoring should be implemented to detect unusual API access patterns that might indicate exploitation attempts. Security teams should review user access policies and implement principle of least privilege controls to minimize the impact if exploitation occurs. Additionally, regular security assessments of web services and API endpoints should be conducted to identify similar authorization gaps in other applications. The vulnerability highlights the importance of proper input validation and access control enforcement within web service implementations, particularly when dealing with sensitive administrative data. Organizations should also consider implementing additional authentication mechanisms such as multi-factor authentication for administrative accounts and regular security training for developers to prevent similar issues in custom portal extensions.

Responsible

Liferay

Reservation

04/17/2025

Disclosure

08/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00296

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!