Listen to this Post
The vulnerability (CVE-2024-55269) exists within the Objects module of Liferay. Authenticated users with the Instance Administrator role can create or modify Object Definitions and their associated Actions or Validations. These elements allow the execution of Groovy scripts for business logic. The affected versions improperly lack restrictions on script execution for high-privilege users. Consequently, an admin can craft a malicious Groovy script within an Object Action. When the associated object event is triggered, the server executes the unchecked script. This grants the attacker the ability to run arbitrary operating system commands with the privileges of the Liferay application server, leading to full system compromise. The flaw stems from missing authorization checks specifically for the Groovy script engine within the Objects UI for administrative users.
Platform: Liferay Portal/DXP
Version: 7.4.3.27-42
Vulnerability: Remote Code Execution
Severity: High
date: 2024-09-01
Prediction: 2024-05-28
What Undercode Say:
curl -X POST 'http://target/.../object-action' --data 'script=groovy_code_here'
Runtime.getRuntime().exec("calc.exe")
How Exploit:
Admin creates Object Action.
Embed malicious Groovy script.
Trigger action execution.
Gain RCE on server.
Protection from this CVE
Apply patch 1.0.96.
Disable Groovy scripts.
Use SaaS version.
Impact:
Complete system takeover.
Data breach.
Service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
