CVE-2021-29053: Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections

May 24, 2022 (updated May 14, 2025)

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

References

github.com/advisories/GHSA-f9wj-c5pc-g9rh
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2021-29053
web.archive.org/web/20221121171927/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225

Code Behaviors & Features

Detect and mitigate CVE-2021-29053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →