Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 10, 2025
CVE-2025-43786
CVE-2025-43786
Description
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.portal.vulcan.implMaven | >= 5.0.7, < 5.0.127 | 5.0.127 |
com.liferay:com.liferay.headless.admin.workflow.implMaven | >= 5.0.4, < 5.0.83 | 5.0.83 |
com.liferay:com.liferay.portal.workflow.apiMaven | >= 7.0.1, < 11.0.1 | 11.0.1 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
3e34499eab2ceLPD-35339 Removing detailed Exception message to not give too much information in the response of the API
1 file changed · +1 −2
modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/jaxrs/exception/mapper/NotFoundExceptionMapper.java+1 −2 modified@@ -19,8 +19,7 @@ public class NotFoundExceptionMapper @Override protected Problem getProblem(NotFoundException notFoundException) { - return new Problem( - Response.Status.NOT_FOUND, notFoundException.getMessage()); + return new Problem(Response.Status.NOT_FOUND, null); } } \ No newline at end of file
8f9728086bd6LPD-35339 Changing base type of NoSuchWorkflowDefinitionException to remove not needed ExceptionMapper
5 files changed · +13 −49
modules/apps/headless/headless-admin-workflow/headless-admin-workflow-impl/src/main/java/com/liferay/headless/admin/workflow/internal/jaxrs/exception/mapper/NoSuchWorkflowDefinitionExceptionMapper.java+0 −40 removed@@ -1,40 +0,0 @@ -/** - * SPDX-FileCopyrightText: (c) 2000 Liferay, Inc. https://liferay.com - * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06 - */ - -package com.liferay.headless.admin.workflow.internal.jaxrs.exception.mapper; - -import com.liferay.portal.kernel.workflow.NoSuchWorkflowDefinitionException; -import com.liferay.portal.vulcan.jaxrs.exception.mapper.BaseExceptionMapper; -import com.liferay.portal.vulcan.jaxrs.exception.mapper.Problem; - -import javax.ws.rs.core.Response; -import javax.ws.rs.ext.ExceptionMapper; - -import org.osgi.service.component.annotations.Component; - -/** - * @author Michael Cavalcanti - */ -@Component( - property = { - "osgi.jaxrs.application.select=(osgi.jaxrs.name=Liferay.Headless.Admin.Workflow)", - "osgi.jaxrs.extension=true", - "osgi.jaxrs.name=Liferay.Headless.Admin.Workflow.NoSuchWorkflowDefinitionExceptionMapper" - }, - service = ExceptionMapper.class -) -public class NoSuchWorkflowDefinitionExceptionMapper - extends BaseExceptionMapper<NoSuchWorkflowDefinitionException> { - - @Override - protected Problem getProblem( - NoSuchWorkflowDefinitionException noSuchWorkflowDefinitionException) { - - return new Problem( - Response.Status.NOT_FOUND, - noSuchWorkflowDefinitionException.getMessage()); - } - -} \ No newline at end of file
modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+4 −3 modified@@ -5,6 +5,7 @@ package com.liferay.portal.workflow.manager; +import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.util.OrderByComparator; import com.liferay.portal.kernel.workflow.WorkflowDefinition; import com.liferay.portal.kernel.workflow.WorkflowException; @@ -95,14 +96,14 @@ public default int getLatestWorkflowDefinitionsCount(long companyId) public default WorkflowDefinition getWorkflowDefinition( long workflowDefinitionId) - throws WorkflowException { + throws PortalException { throw new UnsupportedOperationException(); } public WorkflowDefinition getWorkflowDefinition( long companyId, String name, int version) - throws WorkflowException; + throws PortalException; public List<WorkflowDefinition> getWorkflowDefinitions( long companyId, String name, int start, int end, @@ -140,7 +141,7 @@ public default List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions( public default WorkflowDefinition liberalGetWorkflowDefinition( long companyId, String name, int version) - throws WorkflowException { + throws PortalException { throw new UnsupportedOperationException(); }
modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+2 −1 modified@@ -5,6 +5,7 @@ package com.liferay.portal.workflow.util; +import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.module.service.Snapshot; import com.liferay.portal.kernel.util.OrderByComparator; import com.liferay.portal.kernel.workflow.WorkflowDefinition; @@ -92,7 +93,7 @@ public static List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions( public static WorkflowDefinition liberalGetWorkflowDefinition( long companyId, String name, int version) - throws WorkflowException { + throws PortalException { WorkflowDefinitionManager workflowDefinitionManager = _workflowDefinitionManagerSnapshot.get();
modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+4 −4 modified@@ -200,7 +200,7 @@ public int getLatestWorkflowDefinitionsCount(Boolean active, long companyId) @Override public WorkflowDefinition getWorkflowDefinition(long workflowDefinitionId) - throws WorkflowException { + throws PortalException { try { return _kaleoWorkflowModelConverter.toWorkflowDefinition( @@ -221,7 +221,7 @@ public WorkflowDefinition getWorkflowDefinition(long workflowDefinitionId) @Override public WorkflowDefinition getWorkflowDefinition( long companyId, String name, int version) - throws WorkflowException { + throws PortalException { return _getWorkflowDefinition(companyId, name, version, false); } @@ -280,7 +280,7 @@ public List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions( @Override public WorkflowDefinition liberalGetWorkflowDefinition( long companyId, String name, int version) - throws WorkflowException { + throws PortalException { return _getWorkflowDefinition(companyId, name, version, true); } @@ -551,7 +551,7 @@ private List<WorkflowDefinition> _getLatestWorkflowDefinitions( private WorkflowDefinition _getWorkflowDefinition( long companyId, String name, int version, boolean liberal) - throws WorkflowException { + throws PortalException { try { return _kaleoWorkflowModelConverter.toWorkflowDefinition(
portal-kernel/src/com/liferay/portal/kernel/workflow/NoSuchWorkflowDefinitionException.java+3 −1 modified@@ -5,10 +5,12 @@ package com.liferay.portal.kernel.workflow; +import com.liferay.portal.kernel.exception.NoSuchModelException; + /** * @author Michael Cavalcanti */ -public class NoSuchWorkflowDefinitionException extends WorkflowException { +public class NoSuchWorkflowDefinitionException extends NoSuchModelException { public NoSuchWorkflowDefinitionException() { }
e4a140d6d92eLPD-35339 Returning the same thing on not found and no permissions
2 files changed · +36 −7
modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/jaxrs/exception/mapper/NoSuchModelExceptionMapper.java+17 −2 modified@@ -9,7 +9,11 @@ import com.liferay.portal.vulcan.jaxrs.exception.mapper.BaseExceptionMapper; import com.liferay.portal.vulcan.jaxrs.exception.mapper.Problem; +import javax.ws.rs.NotFoundException; +import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; +import javax.ws.rs.ext.ExceptionMapper; +import javax.ws.rs.ext.Providers; /** * Converts any {@code NoSuchModelException} to a {@code 404} error. @@ -21,10 +25,21 @@ public class NoSuchModelExceptionMapper extends BaseExceptionMapper<NoSuchModelException> { + @Override + public Response toResponse(NoSuchModelException noSuchModelException) { + ExceptionMapper<NotFoundException> exceptionMapper = + _providers.getExceptionMapper(NotFoundException.class); + + return exceptionMapper.toResponse( + new NotFoundException(noSuchModelException)); + } + @Override protected Problem getProblem(NoSuchModelException noSuchModelException) { - return new Problem( - Response.Status.NOT_FOUND, noSuchModelException.getMessage()); + throw new UnsupportedOperationException("This should not be called"); } + @Context + private Providers _providers; + } \ No newline at end of file
modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/jaxrs/exception/mapper/PrincipalExceptionMapper.java+19 −5 modified@@ -12,8 +12,11 @@ import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; +import javax.ws.rs.ext.ExceptionMapper; +import javax.ws.rs.ext.Providers; /** * Converts any {@code PrincipalException} to a {@code 404} error in case it is @@ -26,19 +29,30 @@ public class PrincipalExceptionMapper extends BaseExceptionMapper<PrincipalException> { @Override - protected Problem getProblem(PrincipalException principalException) { - Response.Status status = Response.Status.FORBIDDEN; - + public Response toResponse(PrincipalException principalException) { String method = _httpServletRequest.getMethod(); if (method.equals(HttpMethods.GET)) { - status = Response.Status.NOT_FOUND; + ExceptionMapper<NotFoundException> exceptionMapper = + _providers.getExceptionMapper(NotFoundException.class); + + return exceptionMapper.toResponse( + new NotFoundException(principalException)); } - return new Problem(status, principalException.getMessage()); + return super.toResponse(principalException); + } + + @Override + protected Problem getProblem(PrincipalException principalException) { + return new Problem( + Response.Status.FORBIDDEN, principalException.getMessage()); } @Context private HttpServletRequest _httpServletRequest; + @Context + private Providers _providers; + } \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9p7x-8c57-4pqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43786ghsaADVISORY
- github.com/liferay/liferay-portal/commit/8f9728086bd61661437b0aa8493c83510914a474ghsaWEB
- github.com/liferay/liferay-portal/commit/e34499eab2ce1d544835835afe6733a78b4ab532ghsaWEB
- github.com/liferay/liferay-portal/commit/e4a140d6d92e92911f08fe33051b677742531f19ghsaWEB
- liferay.atlassian.net/browse/LPE-18106ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43786ghsaWEB
News mentions
0No linked articles in our index yet.