CVE Catalog

CVE-2023-33946

LowCVSS 2.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

44th percentile — higher than 44% of all known CVEs

Summary

The Object module in Liferay Portal versions 7.4.3.4 to 7.4.3.48 and Liferay DXP 7.4 before update 49 does not properly isolate objects in different virtual instances. This allows remote authenticated users in one virtual instance to view objects in a different virtual instance via the OAuth 2 scope administration page.

Risk Assessment

The risk is that users may gain access to data that should be unavailable to them, potentially leading to privacy breaches and data security issues within the organization.

Recommendation

It is recommended to update Liferay Portal to version 7.4.3.49 or later to ensure proper isolation of objects in different virtual instances.

Original NVD description (English source)

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS