CVE-2020-15841: Liferay Portal and Liferay DXP Potentially Reveal LDAP Server Password via Unsafe Connection

May 24, 2022 (updated May 28, 2025)

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server’s password via the Test LDAP Connection feature.

References

github.com/advisories/GHSA-773f-f929-qgjj
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-16928
nvd.nist.gov/vuln/detail/CVE-2020-15841
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439

Code Behaviors & Features

Detect and mitigate CVE-2020-15841 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →