Skip to main content
HomePentest-Tools.com Logo

Vulnerabilities & Exploits

Liferay Portal - Remote Code Execution (CVE-2020-7961)

Severity
CVSSv3 Score
9.8
CVE
Cybersecurity Infrastructure Security Agency (CISA)CVE-2020-7961
Vulnerability description

Liferay Portal server is vulnerable to CVE-2020-7961, a Remote Code Injection vulnerability affecting multiple methods found in the /api/jsonws endpoint. The root cause of this vulnerability is the improper deserialization of untrusted data provided by the user. A remote unauthenticated attacker can perform remote class loading through deserialization via a malicious machine that serves specially crafted Java class files that run arbitrary code on the target.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Liferay Server in order to steal confidential information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Apply the latest updates for the Liferay Server.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-7961

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Mar 2020
Published at
Updated at
Software Type
Enterprise Information Portal
Vendor
Liferay
Product
Portal