CVE-2022-41414
Description
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal v7.0.0–v7.4.2 has an insecure default in auth.login.prompt.enabled that allows attackers to enumerate usernames, site names, and pages.
Vulnerability
The vulnerability stems from an insecure default configuration of the auth.login.prompt.enabled property in Liferay Portal versions 7.0.0 through 7.4.2. By default, this setting enables a login prompt that reveals whether a given username, site name, or page exists, leading to information disclosure [1].
Exploitation
An unauthenticated attacker can exploit this by sending crafted requests to the login endpoint. The prompt’s response differs based on whether the submitted username or resource is valid, allowing the attacker to enumerate valid identifiers without authentication [1].
Impact
Successful enumeration provides an attacker with a list of valid usernames, sites, and pages. This information can be used to launch targeted attacks, such as password guessing or phishing, and increases the attack surface of the portal.
Mitigation
The issue was addressed in a commit that changes the default value of auth.login.prompt.enabled from true to false [3]. Administrators are advised to update to a patched version or manually disable the setting. The official advisory from Liferay provides further guidance [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.0.0-a1, < 7.4.2-ga3 | 7.4.2-ga3 |
com.liferay.portal:com.liferay.portal.implMaven | < 8.0.0 | 8.0.0 |
Affected products
3- Liferay/Portaldescription
- ghsa-coords2 versions
< 8.0.0+ 1 more
- (no CPE)range: < 8.0.0
- (no CPE)range: >= 7.0.0-a1, < 7.4.2-ga3
Patches
1659c4422bd32LPS-132870 default to false
1 file changed · +1 −1
portal-impl/src/portal.properties+1 −1 modified@@ -3870,7 +3870,7 @@ # # Env: LIFERAY_AUTH_PERIOD_LOGIN_PERIOD_PROMPT_PERIOD_ENABLED # - auth.login.prompt.enabled=true + auth.login.prompt.enabled=false # # Enter a friendly URL of a page that will be used to login portal users
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9427-7f65-88c8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41414ghsaADVISORY
- github.com/liferay/liferay-portal/commit/659c4422bd32b1db1a01a7f4a42b7702d512ffa2ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-01-insecure-defaults-auth-login-prompt-enabledghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilitiesmitre
News mentions
0No linked articles in our index yet.