CVE-2023-33950
Description
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pattern Redirects in Liferay Portal 7.4.3.48-76 and DXP 7.4 update 48-76 allow ReDoS attacks via crafted URLs, causing excessive resource consumption.
The vulnerability resides in the Pattern Redirects feature of Liferay Portal and DXP. The application allows administrators to define URL redirect patterns using regular expressions. Due to insufficient validation, patterns can include regular expressions that are susceptible to ReDoS (Regular Expression Denial of Service) attacks [1][3].
An unauthenticated remote attacker can exploit this by sending a specially crafted request URL that triggers catastrophic backtracking in the regex engine. No authentication or special privileges are required; the attacker only needs to make HTTP requests to the affected server [1].
Successful exploitation causes excessive CPU consumption, leading to denial of service. The server may become unresponsive to legitimate requests, impacting availability [1][3].
Liferay has acknowledged the issue. The vulnerability affects Liferay Portal 7.4.3.48 through 7.4.3.76 and Liferay DXP 7.4 update 48 through 76. Users are advised to update to a patched version or apply workarounds as described in the vendor advisory [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.48, < 7.4.3.77 | 7.4.3.77 |
Affected products
4- osv-coords2 versions
>= 7.4-update48.0, <= 7.4-update48.0+ 1 more
- (no CPE)range: >= 7.4-update48.0, <= 7.4-update48.0
- (no CPE)range: >= 7.4.3.48, < 7.4.3.77
- Liferay/DXPv5Range: 7.4.13.u48
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-chrc-q6v3-jfv8ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33950ghsaADVISORY
News mentions
0No linked articles in our index yet.