High severityNVD Advisory· Published Aug 3, 2021· Updated Aug 3, 2024
CVE-2021-33322
CVE-2021-33322
Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:com.liferay.portal.implMaven | < 5.7.3 | 5.7.3 |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.0, < 7.0.10.fp96 | 7.0.10.fp96 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp18 | 7.1.10.fp18 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp5 | 7.2.10.fp5 |
Affected products
3- Liferay/Liferay Portaldescription
- ghsa-coords2 versions
< 5.7.3+ 1 more
- (no CPE)range: < 5.7.3
- (no CPE)range: >= 7.0.0, < 7.0.10.fp96
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-vwj8-4grf-3r8vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33322ghsaADVISORY
- github.com/liferay/liferay-portal/commit/8f072ee8527a1dd5c0ffa91c4a78641d0e666b95ghsaWEB
- github.com/liferay/liferay-portal/commit/9fe453b34f58286a504d995be8ba50499adcf1b7ghsaWEB
- issues.liferay.com/browse/LPE-16981mitrex_refsource_CONFIRM
- liferay.atlassian.net/browse/LPE-16981ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33322-password-change-does-not-invalidate-password-reset-tokensghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.