CVE-2020-15842: Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability

May 24, 2022 (updated May 28, 2025)

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

References

github.com/advisories/GHSA-mg3r-9jh8-33r9
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-16963
nvd.nist.gov/vuln/detail/CVE-2020-15842
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427

Code Behaviors & Features

Detect and mitigate CVE-2020-15842 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →