CVE-2020-7961
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
CISA KEV
- Vendor
- Liferay
- Product
- Liferay Portal
- Due date
- 2022-05-03
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2020-7961
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.liferay.portal:com.liferay.portal.kernel | <4.35.3 | 4.35.3 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-7961
- https://github.com/liferay/liferay-portal
- https://github.com/liferay/liferay-portal/blob/7.2.1-ga2/portal-kernel/bnd.bnd
- https://portal.liferay.dev/learn/security/known-vulnerabilities
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7961
- http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html
Verify integrity in audit chain (admin only). AS-IS.