CVE-2020-7961

critical-risk
Published 2020-03-20

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Do I need to act?

!
94.4% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
48332
+
Fix available
Upgrade to: ded0e9390637985231e962e4ad4cfa4639eabb26
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Liferay

References (11)

Third Party Advisory http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Re...
Third Party Advisory http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution...
Broken Link https://portal.liferay.dev/learn/security/known-vulnerabilities
Broken Link https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...
Exploit https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-...
Third Party Advisory http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Re...
Third Party Advisory http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution...
Broken Link https://portal.liferay.dev/learn/security/known-vulnerabilities
Broken Link https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...
Exploit https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-...
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-...
71
/ 100
critical-risk
Severity 32/34 · Critical
Exploitability 34/34 · Critical
Exposure 5/34 · Minimal