CVE-2020-15842
Description
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure deserialization in Liferay Portal and DXP allows remote code execution via man-in-the-middle attacks.
Vulnerability
Overview
CVE-2020-15842 is an insecure deserialization vulnerability found in Liferay Portal versions before 7.3.0, and in Liferay DXP versions 7.0 (before fix pack 90), 7.1 (before fix pack 17), and 7.2 (before fix pack 5). The issue stems from the application's failure to properly validate serialized data, allowing a remote attacker to execute arbitrary code [1].
Attack
Vector
An attacker with man-in-the-middle network position can exploit this flaw by sending a crafted serialized payload to the vulnerable Liferay server. The attack does not require authentication, but relies on the attacker being able to intercept or modify network traffic between the client and server, or directly send malicious requests to the server if network access is available [1].
Impact
Successful exploitation results in arbitrary code execution in the context of the Liferay application server. This gives the attacker full control over the affected system, including the ability to read, modify, or delete sensitive data, install malware, or pivot to other internal systems. The CVSS score for this vulnerability is 9.8 (Critical), indicating a severe impact on confidentiality, integrity, and availability [1].
Mitigation
Liferay has released fixes for the affected versions: Liferay Portal 7.3.0 and Liferay DXP fix packs 90 (7.0), 17 (7.1), and 5 (7.2). Users are strongly advised to upgrade their installations to these patched versions or apply the respective fix packs. For environments that cannot be immediately upgraded, restricting network access and implementing strong network segmentation can reduce the risk of man-in-the-middle attacks [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | < 7.3.0 | 7.3.0 |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.0, < 7.0.10.fp90 | 7.0.10.fp90 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp17 | 7.1.10.fp17 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp5 | 7.2.10.fp5 |
Affected products
3- Liferay/Portaldescription
- ghsa-coords2 versions
>= 7.0.0, < 7.0.10.fp90+ 1 more
- (no CPE)range: >= 7.0.0, < 7.0.10.fp90
- (no CPE)range: < 7.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mg3r-9jh8-33r9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15842ghsaADVISORY
- issues.liferay.com/browse/LPE-16963ghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.