CVE-2024-25607

Summary

The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.2.0 <= 7.4.3.15affected
LiferayDXP7.4.13 <= 7.4.13.u15affected
LiferayDXP7.3.10 <= 7.3.10-dxp-3affected
LiferayDXP7.2.10 <= 7.2.10-dxp-16affected

Weaknesses

  • CWE-916: CWE-916 Use of Password Hash With Insufficient Computational Effort

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References