CVE-2021-33325: Liferay Portal and Liferay DXP Stores User Passwords in Cleartext

May 24, 2022 (updated May 14, 2025)

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user’s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user’s password.

References

github.com/advisories/GHSA-6c88-gvxw-f5hg
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17042
nvd.nist.gov/vuln/detail/CVE-2021-33325
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389

Code Behaviors & Features

Detect and mitigate CVE-2021-33325 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →