CVE-2021-29043
Description
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Portal Store module in Liferay Portal and DXP exposes the S3 proxy password in plaintext, enabling theft via MITM or shoulder surfing.
Vulnerability
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10, and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password [1][3]. This allows the password to be transmitted or displayed in plaintext.
Exploitation
An attacker can steal the proxy password via man-in-the-middle attacks by intercepting network traffic, or through shoulder surfing by observing the password on screen [1]. No special privileges are required beyond network access or physical proximity.
Impact
Successful exploitation grants the attacker the S3 store's proxy password, potentially leading to unauthorized access to the S3 store and data exposure [1].
Mitigation
For Liferay Portal 7.3, upgrade to 7.3 CE GA7 (7.3.6). For 7.2, apply the source patch for 7.2 GA2 (7.2.1) available on GitHub. For 7.0 and 7.1, upgrade to 7.2.1 and apply the latest patch. For Liferay DXP, apply fix pack 97 for 7.0, fix pack 21 for 7.1, fix pack 10 for 7.2, and fix pack 1 for 7.3 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.0.0, < 7.3.6 | 7.3.6 |
com.liferay.portal:release.dxp.bomMaven | < 7.0.10.fp97 | 7.0.10.fp97 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp21 | 7.1.10.fp21 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp10 | 7.2.10.fp10 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp1 | 7.3.10.fp1 |
Affected products
5- Liferay/Liferay Portaldescription
- Range: >=7.0.0, <=7.3.5
- ghsa-coords2 versions
< 7.0.10.fp97+ 1 more
- (no CPE)range: < 7.0.10.fp97
- (no CPE)range: >= 7.0.0, < 7.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xx2h-2hf5-v7vvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29043ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515ghsax_refsource_MISCWEB
- web.archive.org/web/20210517183617/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515ghsaWEB
News mentions
0No linked articles in our index yet.