Description Preview
Overview
This vulnerability (CVE-2021-33333) is classified as CWE-276: Incorrect Default Permissions. The issue exists in the Portal Workflow module of Liferay Portal and DXP, where the application fails to properly validate user permissions before allowing access to workflow submission data. An authenticated attacker can exploit this vulnerability by crafting specific URLs to bypass permission checks, gaining unauthorized access to view or delete workflow submissions that should be restricted. This could lead to information disclosure, data loss, or disruption of business processes that rely on these workflows.
Remediation
Organizations using affected versions of Liferay should update to the following patched versions:
- Liferay Portal: Update to a version newer than 7.3.2
- Liferay DXP 7.0: Apply fix pack 93 or later
- Liferay DXP 7.1: Apply fix pack 19 or later
- Liferay DXP 7.2: Apply fix pack 6 or later
If immediate patching is not possible, consider implementing the following temporary mitigations:
- Restrict access to the Portal Workflow module to only essential users
- Implement additional network-level access controls for workflow-related endpoints
- Monitor workflow submission activities for unauthorized access attempts
- Regularly review workflow permissions and user access rights
References
- Liferay Issue Tracker: https://issues.liferay.com/browse/LPE-17032
- Liferay Security Advisory: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742
- CWE-276: Incorrect Default Permissions: https://cwe.mitre.org/data/definitions/276.html
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Transportation & WarehousingTransportation & Warehousing
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
