Moderate severityNVD Advisory· Published Feb 20, 2024· Updated Aug 15, 2024
CVE-2024-26268
CVE-2024-26268
Description
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.4.3.27-ga27 | 7.4.3.27-ga27 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp20 | 7.2.10.fp20 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u8 | 7.3.10.u8 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, < 7.4.13.u27 | 7.4.13.u27 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
2d8d0ae0178a2LPS-153080 Take into account of skip_liferay_check
1 file changed · +5 −1
portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+5 −1 modified@@ -5610,7 +5610,11 @@ else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) { } if (user == null) { - PwdAuthenticator.pretendToAuthenticate(); + if ((authResult == Authenticator.SUCCESS) && + PropsValues.AUTH_PIPELINE_ENABLE_LIFERAY_CHECK) { + + PwdAuthenticator.pretendToAuthenticate(); + } return Authenticator.DNE; }
46db55ec2110LPS-153080 Simulate hashing process for non existing users
2 files changed · +24 −0
portal-impl/src/com/liferay/portal/security/pwd/PwdAuthenticator.java+22 −0 modified@@ -88,7 +88,29 @@ else if (GetterUtil.getBoolean( return false; } + public static void pretendToAuthenticate() throws PwdEncryptorException { + authenticate( + _PRETENDED_LOGIN, _PRETENDED_CLEAR_TEXT_PASSWORD, + _PRETENDED_CURRENT_ENCRYPTED_PASSWORD); + } + + private static final String _PRETENDED_CLEAR_TEXT_PASSWORD = "password"; + + private static final String _PRETENDED_CURRENT_ENCRYPTED_PASSWORD; + + private static final String _PRETENDED_LOGIN = "login"; + private static final Log _log = LogFactoryUtil.getLog( PwdAuthenticator.class.getName()); + static { + try { + _PRETENDED_CURRENT_ENCRYPTED_PASSWORD = + PasswordEncryptorUtil.encrypt("currentPassword"); + } + catch (PwdEncryptorException pwdEncryptorException) { + throw new RuntimeException(pwdEncryptorException); + } + } + } \ No newline at end of file
portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+2 −0 modified@@ -5610,6 +5610,8 @@ else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) { } if (user == null) { + PwdAuthenticator.pretendToAuthenticate(); + return Authenticator.DNE; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qm43-g2xj-hvg5ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26268ghsaADVISORY
- github.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93ghsaWEB
- github.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8ghsaWEB
News mentions
0No linked articles in our index yet.