CVE-2011-1502

Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://issues.liferay.com/browse/LPS-14927	Issue Tracking Vendor Advisory
http://openwall.com/lists/oss-security/2011/03/29/1	Mailing List Third Party Advisory
http://openwall.com/lists/oss-security/2011/04/08/5	Mailing List Third Party Advisory
http://openwall.com/lists/oss-security/2011/04/11/9	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*

History

No history.

Information

Published : 2011-05-07 19:55

Updated : 2024-02-04 17:54

NVD link : CVE-2011-1502

Mitre link : CVE-2011-1502

CVE.ORG link : CVE-2011-1502

JSON object : View

Products Affected

liferay

liferay_portal

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2011-1502", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2011-05-07T19:55:00.947", "references": [{"url": "http://issues.liferay.com/browse/LPS-14927", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://openwall.com/lists/oss-security/2011/03/29/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://openwall.com/lists/oss-security/2011/04/08/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://openwall.com/lists/oss-security/2011/04/11/9", "tags": ["Mailing List", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue."}, {"lang": "es", "value": "Liferay Portal Community Edition (CE) v6.x anterior a v6.0.6 GA, cuando Apache Tomcat es utilizado, permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de una declaraci\u00f3n de entidad junto con una referencia de entidad, relacionado con un asunto XML External Entity (tambi\u00e9n conocido como XXE)"}], "lastModified": "2020-07-23T18:21:44.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "36D6FB97-DA02-4BE8-9546-2676F79BD9BA", "versionEndIncluding": "6.0.5", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}