Base Score

HIGH8.8

CVE-2020-15841

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

VectorNETWORK

Published Bycve@mitre.org

Published DateJul 20, 2020, 02:15

Affected Versions(4)

com.liferay.portal:release.portal.bom(Maven)

Introduced0

Fixed7.3.0

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.0.0

Fixed7.0.10.fp89

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.1.0

Fixed7.1.10.fp17

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.2.0

Fixed7.2.10.fp4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.liferay.portal:release.portal.bom(Maven)	0	7.3.0	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.0.0	7.0.10.fp89	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.1.0	7.1.10.fp17	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.2.0	7.2.10.fp4	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH8.8

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH