CVE-2020-7961: Deserialization of Untrusted Data in Liferay Portal

May 24, 2022 (updated August 28, 2024)

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

References

github.com/advisories/GHSA-w7pm-cc4v-f3g8
github.com/liferay/liferay-portal
github.com/liferay/liferay-portal/blob/7.2.1-ga2/portal-kernel/bnd.bnd
nvd.nist.gov/vuln/detail/CVE-2020-7961
portal.liferay.dev/learn/security/known-vulnerabilities
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet

Code Behaviors & Features

Detect and mitigate CVE-2020-7961 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →