Listen to this Post
How the CVE Works
The vulnerability arises due to improper validation of the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter in Liferay Portal (versions 7.0.0–7.4.3.4, DXP 7.3 GA–update 34, and older unsupported versions). Attackers exploit this by manipulating the parameter to perform path traversal, allowing:
1. Arbitrary file uploads to server locations.
- Downloading and executing malicious files from a remote server.
This occurs during Xuggler’s download/installation process, where user-supplied input is not sanitized, leading to unauthorized file system access.
DailyCVE Form
Platform: Liferay Portal
Version: 7.0.0–7.4.3.4
Vulnerability: Path Traversal
Severity: High
Date: Jun 16, 2025
Prediction: Patch by Jul 15, 2025
What Undercode Say
Check installed Liferay version curl -X GET http://<target>/api/jsonws/version Exploit PoC (simulated traversal) curl -X POST --data "jarName=../../../malicious.jar" http://<target>/server-admin-portlet
How Exploit
- Craft a malicious JAR and host it on a controlled server.
- Send a POST request with a traversal path in
jarName.
3. Trigger execution via Liferay’s Xuggler download mechanism.
Protection from this CVE
1. Update to patched versions (5.0.24, 4.0.48, etc.).
2. Disable Xuggler if unused.
3. Implement input sanitization for `jarName`.
Impact
- Remote code execution (RCE).
- Unauthorized system/file access.
- Compromise of server integrity.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
