Liferay Portal - Remote Code Execution (CVE-2020-7961)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Liferay Portal server is vulnerable to CVE-2020-7961, a Remote Code Injection vulnerability affecting multiple methods found in the
/api/jsonws
endpoint. The root cause of this vulnerability is the improper deserialization of untrusted data provided by the user. A remote unauthenticated attacker can perform remote class loading through deserialization via a malicious machine that serves specially crafted Java class files that run arbitrary code on the target.- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Liferay Server in order to steal confidential information, install ransomware or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Apply the latest updates for the Liferay Server.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Mar 2020
- Published at
- Updated at
- Software Type
- Enterprise Information Portal
- Vendor
- Liferay
- Product
- Portal