GHSA-xx2h-2hf5-v7vv

Source

https://github.com/advisories/GHSA-xx2h-2hf5-v7vv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xx2h-2hf5-v7vv/GHSA-xx2h-2hf5-v7vv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xx2h-2hf5-v7vv

Aliases

CVE-2021-29043

Published

2022-05-24T19:02:39Z

Modified

2025-05-28T20:44:34.440618Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Liferay Portal and Liferay DXP May Reveal S3 Store's Proxy Password

Details

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T20:10:38Z",
    "nvd_published_at": "2021-05-17T11:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-522"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Maven

com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.3.6

Affected versions

7.*

7.0.6

7.0.6-1

7.0.6-2

7.1.0

7.1.1

7.1.2

7.1.3

7.1.3-1

7.2.0

7.2.1

7.2.1-1

7.3.0

7.3.0-1

7.3.1

7.3.1-1

7.3.2

7.3.2-1

7.3.3

7.3.3-1

7.3.4

7.3.5

Database specific

last_known_affected_version_range

"<= 7.3.5"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.10.fp97

Affected versions

7.*

7.0.10.fp60

7.0.10.fp61

7.0.10.fp62

7.0.10.fp63

7.0.10.fp64

7.0.10.fp65

7.0.10.fp66

7.0.10.fp67

7.0.10.fp68

7.0.10.fp69

7.0.10.fp70

7.0.10.fp71

7.0.10.fp72

7.0.10.fp73

7.0.10.fp74

7.0.10.fp75

7.0.10.fp76

7.0.10.fp77

7.0.10.fp78

7.0.10.fp79

7.0.10.fp80

7.0.10.fp81

7.0.10.fp82

7.0.10.fp83

7.0.10.fp84

7.0.10.fp85

7.0.10.fp85-1

7.0.10.fp86

7.0.10.fp86-1

7.0.10.fp87

7.0.10.fp87-1

7.0.10.fp88

7.0.10.fp89

7.0.10.fp90

7.0.10.fp91

7.0.10.fp92

7.0.10.fp94

7.0.10.fp94-1

7.0.10.fp95

7.0.10.fp95-1

7.0.10.fp95-2

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0

Fixed

7.1.10.fp21

Affected versions

7.*

7.1.10

7.1.10.fp1

7.1.10.fp2

7.1.10.fp3

7.1.10.fp4

7.1.10.fp5

7.1.10.fp6

7.1.10.fp7

7.1.10.fp8

7.1.10.fp9

7.1.10.fp10

7.1.10.fp11

7.1.10.fp12

7.1.10.fp13

7.1.10.fp14

7.1.10.fp15

7.1.10.fp16

7.1.10.fp17

7.1.10.fp18

7.1.10.fp19

7.1.10.fp20

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0

Fixed

7.2.10.fp10

Affected versions

7.*

7.2.1

7.2.10

7.2.10.fp1

7.2.10.fp1-1

7.2.10.fp2

7.2.10.fp3

7.2.10.fp4

7.2.10.fp5

7.2.10.fp6

7.2.10.fp7

7.2.10.fp8

7.2.10.fp9

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.0

Fixed

7.3.10.fp1

Affected versions

7.*

7.3.10

7.3.10.ep3

7.3.10.ep4

7.3.10.ep5