CVE-2020-15840
Description
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP allow bypassing banned path regex via double URL encoding, leading to arbitrary file access.
The vulnerability resides in the property portlet.resource.id.banned.paths.regexp, which is intended to block access to sensitive paths such as /META-INF and /WEB-INF. Due to insufficient input validation, an attacker can bypass this regex filter by supplying a double-encoded URL, effectively circumventing the security control [1][3].
To exploit the flaw, an attacker sends a specially crafted HTTP request to a portlet resource with a double-encoded path. No authentication is required, and the attack can be performed remotely over the network [3]. The double encoding causes the server to decode the URL twice, allowing the banned path to be interpreted as a legitimate resource identifier.
Successful exploitation grants an attacker access to restricted portlet resources, including files within the /META-INF and /WEB-INF directories. This can expose sensitive configuration files, application internals, and potentially lead to further compromise of the Liferay instance [3].
Liferay has addressed the issue in versions 7.3.1, 7.1.3 (for DXP 7.1), and 7.4.0. Users are advised to upgrade to these or later releases. Liferay Portal 6.2 EE is also affected but may be end-of-life, so upgrading to a supported version is strongly recommended [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:com.liferay.portal.implMaven | >= 7.2.0, < 7.4.0 | 7.4.0 |
com.liferay.portal:release.dxp.bomMaven | < 7.0.10.fp93 | 7.0.10.fp93 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp19 | 7.1.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp7 | 7.2.10.fp7 |
com.liferay.portal:release.portal.bomMaven | < 7.3.1 | 7.3.1 |
com.liferay.portal:com.liferay.portal.implMaven | < 7.1.3 | 7.1.3 |
Affected products
3- ghsa-coords3 versionspkg:maven/com.liferay.portal/com.liferay.portal.implpkg:maven/com.liferay.portal/release.dxp.bompkg:maven/com.liferay.portal/release.portal.bom
>= 7.2.0, < 7.4.0+ 2 more
- (no CPE)range: >= 7.2.0, < 7.4.0
- (no CPE)range: < 7.0.10.fp93
- (no CPE)range: < 7.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vrwx-q9pj-x488ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15840ghsaADVISORY
- issues.liferay.com/browse/LPE-17046ghsax_refsource_CONFIRMWEB
- portal.liferay.dev/learn/security/known-vulnerabilitiesghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204ghsax_refsource_CONFIRMWEB
- security.snyk.io/vuln/SNYK-JAVA-COMLIFERAYPORTAL-1296538ghsaWEB
News mentions
0No linked articles in our index yet.