CVE-2024-25143: Liferay Portal denial of service (memory consumption)
(updated )
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
References
- github.com/advisories/GHSA-87m3-6qj3-p3xh
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6
- github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145
- github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143
- nvd.nist.gov/vuln/detail/CVE-2024-25143
Detect and mitigate CVE-2024-25143 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →