High severityNVD Advisory· Published Feb 20, 2024· Updated Aug 1, 2024
CVE-2024-25607
CVE-2024-25607
Description
The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u4 | 7.3.10.u4 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp17 | 7.2.10.fp17 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, < 7.4.13.u16 | 7.4.13.u16 |
com.liferay.portal:release.portal.bomMaven | < 7.4.3.14 | 7.4.3.14 |
com.liferay.portal:com.liferay.portal.kernelMaven | < 38.0.0 | 38.0.0 |
Affected products
5- ghsa-coords3 versionspkg:maven/com.liferay.portal/com.liferay.portal.kernelpkg:maven/com.liferay.portal/release.dxp.bompkg:maven/com.liferay.portal/release.portal.bom
< 38.0.0+ 2 more
- (no CPE)range: < 38.0.0
- (no CPE)range: >= 7.3.0, < 7.3.10.u4
- (no CPE)range: < 7.4.3.14
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-43h9-p3j4-39hmghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-25607ghsaADVISORY
News mentions
0No linked articles in our index yet.