CVE-2020-15840: Liferay Portal and Liferay DXP Bypass via Double Encoded URL
(updated )
In Liferay Portal before 7.3.1, com.liferay.portal:com.liferay.portal.impl before 7.1.3 and 7.4.0, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property ‘portlet.resource.id.banned.paths.regexp’ can be bypassed with doubled encoded URLs.
References
- github.com/advisories/GHSA-vrwx-q9pj-x488
- github.com/liferay/liferay-portal
- issues.liferay.com/browse/LPE-17046
- nvd.nist.gov/vuln/detail/CVE-2020-15840
- portal.liferay.dev/learn/security/known-vulnerabilities
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204
- security.snyk.io/vuln/SNYK-JAVA-COMLIFERAYPORTAL-1296538
Code Behaviors & Features
Detect and mitigate CVE-2020-15840 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →