CVE-2023-47798 - OpenCVE

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Liferay

Published: 2024-02-08T02:55:43.923Z

Updated: 2024-02-08T02:55:43.923Z

Reserved: 2023-11-10T01:49:20.188Z

Link: CVE-2023-47798

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-08T03:15:07.367

Modified: 2024-02-08T03:29:33.180

Link: CVE-2023-47798

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-47798", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "state": "PUBLISHED", "assignerShortName": "Liferay", "dateReserved": "2023-11-10T01:49:20.188Z", "datePublished": "2024-02-08T02:55:43.923Z", "dateUpdated": "2024-02-08T02:55:43.923Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Portal", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.3.0", "status": "affected", "version": "7.2.0", "versionType": "maven"}]}, {"defaultStatus": "unknown", "product": "DXP", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.2.10-dxp-4", "status": "affected", "version": "7.2.10", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."}], "value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-08T02:55:43.923Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}