GHSA-2mx7-xvfg-fg53

Suggest an improvement
Source
https://github.com/advisories/GHSA-2mx7-xvfg-fg53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2mx7-xvfg-fg53
Aliases
Published
2024-02-08T03:32:45Z
Modified
2024-10-03T18:57:35.550608Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Liferay Portal's account lockout does not invalidate existing user sessions
Details

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Database specific
{
    "nvd_published_at": "2024-02-08T03:15:07Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T18:25:35Z"
}
References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name
com.liferay.portal:release.portal.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.3.1

Affected versions

7.*

7.2.0
7.2.1
7.2.1-1
7.3.0
7.3.0-1

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.2.10.fp5

Affected versions

7.*

7.2.1
7.2.10
7.2.10.fp1
7.2.10.fp1-1
7.2.10.fp2
7.2.10.fp3
7.2.10.fp4