CVE-2024-26267
Description
In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property http.header.version.verbosity is set to full, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.4.3.26-ga26 | 7.4.3.26-ga26 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp19 | 7.2.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u5 | 7.3.10.u5 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, < 7.4.13.u26 | 7.4.13.u26 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
30e881cac66dbRevert "LPS-151217 - change default for "http.header.version.verbosity" to partial"
1 file changed · +1 −1
portal-impl/src/portal.properties+1 −1 modified@@ -6398,7 +6398,7 @@ # # Env: LIFERAY_HTTP_PERIOD_HEADER_PERIOD_VERSION_PERIOD_VERBOSITY # - http.header.version.verbosity=partial + http.header.version.verbosity=full ## ## HTTP Tunneling
9658cec331feLPS-151217 - change default for "http.header.version.verbosity" to partial
1 file changed · +1 −1
portal-impl/src/portal.properties+1 −1 modified@@ -6398,7 +6398,7 @@ # # Env: LIFERAY_HTTP_PERIOD_HEADER_PERIOD_VERSION_PERIOD_VERBOSITY # - http.header.version.verbosity=full + http.header.version.verbosity=partial ## ## HTTP Tunneling
00750dade0ccLPS-151217 - change default for "http.header.version.verbosity" to partial
1 file changed · +1 −1
portal-impl/src/portal.properties+1 −1 modified@@ -6398,7 +6398,7 @@ # # Env: LIFERAY_HTTP_PERIOD_HEADER_PERIOD_VERSION_PERIOD_VERBOSITY # - http.header.version.verbosity=full + http.header.version.verbosity=partial ## ## HTTP Tunneling
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2mvj-q2q3-wxjvghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26267ghsaADVISORY
- github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95ghsaWEB
- github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35cghsaWEB
- github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2ghsaWEB
News mentions
0No linked articles in our index yet.