CVE-2024-25143 - OpenCVE

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Liferay

Published: 2024-02-07T14:45:04.168Z

Updated: 2024-02-07T14:45:04.168Z

Reserved: 2024-02-06T10:32:42.566Z

Link: CVE-2024-25143

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-07T15:15:08.907

Modified: 2024-02-07T17:04:54.407

Link: CVE-2024-25143

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-25143", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "state": "PUBLISHED", "assignerShortName": "Liferay", "dateReserved": "2024-02-06T10:32:42.566Z", "datePublished": "2024-02-07T14:45:04.168Z", "dateUpdated": "2024-02-07T14:45:04.168Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "DXP", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.3.10-dxp-2", "status": "affected", "version": "7.3.10", "versionType": "maven"}, {"lessThanOrEqual": "7.2.10-dxp-12", "status": "affected", "version": "7.2.10", "versionType": "maven"}]}, {"defaultStatus": "unknown", "product": "Portal", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.3.6", "status": "affected", "version": "7.2.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images."}], "value": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-07T14:45:04.168Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}