CVE-2024-25607: Liferay Portal defaults to a low work factor for the default password hashing algorithm

February 20, 2024 (updated December 11, 2024)

The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.

References

github.com/advisories/GHSA-43h9-p3j4-39hm
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607
nvd.nist.gov/vuln/detail/CVE-2024-25607

Code Behaviors & Features

Detect and mitigate CVE-2024-25607 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →