CVE-2021-29052: Liferay Portal and Liferay DXP Fails to Check Permissions

May 24, 2022 (updated May 14, 2025)

The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.

References

github.com/advisories/GHSA-pr7v-qv65-rp9m
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2021-29052
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159

Code Behaviors & Features

Detect and mitigate CVE-2021-29052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →