CVE-2021-33321
Description
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal 6.2.3 through 7.3.2 and DXP before 7.3 have an insecure default configuration that allows remote attackers to enumerate user email addresses via the forgot password functionality.
Vulnerability
Liferay Portal versions 6.2.3 through 7.3.2 and Liferay DXP versions before 7.3 ship with an insecure default configuration where the property login.secure.forgot.password is set to false [1][2][3]. This property controls whether the forgot password feature reveals whether a given email address is registered. When set to false, the feature returns different responses for registered and unregistered email addresses, enabling user enumeration [3].
Exploitation
An unauthenticated remote attacker can exploit this by sending a forgot password request for a target email address. If the email is registered, the system returns a success message; if not, it returns an error or different response. No special privileges or network position beyond standard HTTP access are required [3].
Impact
Successful exploitation allows an attacker to enumerate valid user email addresses associated with the Liferay instance. This information disclosure can be used to target specific users for further attacks, such as phishing or credential stuffing [3].
Mitigation
The fix was implemented in commits that changed the default value of login.secure.forgot.password to true [1][2]. Administrators should ensure this property is explicitly set to true in portal-ext.properties or upgrade to a patched version (Liferay Portal 7.3.3 or later, Liferay DXP 7.3 or later). If upgrading is not immediately possible, setting the property to true mitigates the enumeration risk [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:com.liferay.portal.implMaven | < 5.11.0 | 5.11.0 |
com.liferay.portal:release.portal.bomMaven | < 7.3.3 | 7.3.3 |
Affected products
3- Liferay/Liferay Portaldescription
- ghsa-coords2 versions
< 5.11.0+ 1 more
- (no CPE)range: < 5.11.0
- (no CPE)range: < 7.3.3
Patches
206df28c5ad61LPS-112004 Add "login.secure.forgot.password=false" to the legacy property files
2 files changed · +6 −2
portal-impl/src/portal-legacy-7.2.properties+3 −1 modified@@ -1 +1,3 @@ -company.security.strangers.verify=false \ No newline at end of file +company.security.strangers.verify=false + +login.secure.forgot.password=false \ No newline at end of file
portal-impl/src/portal-legacy-7.3.properties+3 −1 modified@@ -1 +1,3 @@ -company.security.strangers.verify=false \ No newline at end of file +company.security.strangers.verify=false + +login.secure.forgot.password=false \ No newline at end of file
37de1d78d9b1LPS-112004 Change the login.secure.forgot.password default value to true
1 file changed · +1 −1
portal-impl/src/portal.properties+1 −1 modified@@ -11656,7 +11656,7 @@ # # Env: LIFERAY_LOGIN_PERIOD_SECURE_PERIOD_FORGOT_PERIOD_PASSWORD # - login.secure.forgot.password=false + login.secure.forgot.password=true ## ## Menu Tag Libraries
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jfch-m2x3-2v66ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33321ghsaADVISORY
- github.com/liferay/liferay-portal/commit/06df28c5ad618afed967fa485418e6cc29c70f38ghsaWEB
- github.com/liferay/liferay-portal/commit/37de1d78d9b1c4a473e3233a6ea146c741075e18ghsaWEB
- help.liferay.com/hc/en-us/articles/360050785632ghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.