CVE Catalog

CVE-2023-33947

LowCVSS 2.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

44th percentile — higher than 44% of all known CVEs

Summary

The Object module in Liferay Portal versions 7.4.3.4 to 7.4.3.60 and Liferay DXP 7.4 before update 61 does not segment object definitions by virtual instance in searches. This allows remote authenticated users in one virtual instance to view object definitions from a second virtual instance.

Risk Assessment

The risk is that users may gain access to sensitive information from other virtual instances, potentially leading to data privacy breaches and security issues for the organization.

Recommendation

It is recommended to update Liferay Portal to version 7.4.3.61 or later to mitigate this vulnerability and ensure proper segmentation of object definitions.

Original NVD description (English source)

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS