CVE-2021-33333: Liferay Portal and Liferay DXP Fails to Check User Permissions for Workflow Submissions

May 24, 2022 (updated May 28, 2025)

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.

References

github.com/advisories/GHSA-g7xc-m762-wg8f
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17032
nvd.nist.gov/vuln/detail/CVE-2021-33333
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742

Code Behaviors & Features

Detect and mitigate CVE-2021-33333 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →