CVE-2024-26267 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-26267

CVE-2024-26267

February 20, 2024

In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property "http.header.version.verbosity" is set to "full", which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (6)

https://github.com/liferay/liferay-portal

https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c

https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2

https://nvd.nist.gov/vuln/detail/CVE-2024-26267

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267

https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Initialization of a Resource with an Insecure Default

CWE-1188

EPSS

Base Score:

0.22

Products

Solutions

Resources

Company

Compare

Developer Tools