Description

A remote code execution vulnerability exists in Liferay Portal 6.1 that can be exploited via JSON web services (JSONWS).

The JSONWS servlet of Liferay Portal uses flexjson library that allows the instantiation of arbitrary classes and invocation of arbitrary setter methods.

Remediation

Upgrade to the latest version of Liferay Portal.

References

Liferay Portal JSON Web Service RCE Vulnerabilities

CST-7111 RCE via JSON deserialization

Related Vulnerabilities

Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

GhostScript RCE (Remote Code Execution)

WordPress Plugin Arigato Autoresponder and Newsletter Remote Code Execution (2.5.1.9)

F5 iControl REST unauthenticated remote command execution vulnerability

Severity

High

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution