CVE-2021-33334: Liferay Portal and Liferay DXP Fails to Properly Check User Permissions

May 24, 2022 (updated May 14, 2025)

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms “Access in Site Administration” permission to view all forms and form entries in a site via the forms section in site administration.

References

github.com/advisories/GHSA-g37f-j8hh-736f
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17039
nvd.nist.gov/vuln/detail/CVE-2021-33334
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332

Code Behaviors & Features

Detect and mitigate CVE-2021-33334 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →