An issue was discovered in Liferay - Portal <=7.4.3.12-ga12. By inserting malicious content in the FTL Templates, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and perform SSRF (Server-Side Request Forgery), read arbitrary files and/or obtain RCE (Remote Code Execution).
Note: This issue exists because of an incomplete fix for CVE-2020-13445.
Liferay is part of the MITRE CNAs program and have decided that, because of the user privileges required to exploit the SSTI, the vulnerability does not represent a high enough risk to warant a CVE or a security advisory.
This vulnerability requires:
- Valid user credentials with the role "Power User", "Site Administrator" or "Site Owner"
More details and the exploitation process can be found in this PDF.
Initial vulnerability (CVE-2020-13445) and blogpost by Alvaro "pwntester" Munoz that inspired the SSTI research and finding of this vulnerability.
HSQL RCE vector was inspired by the blogpost "Remote Code Execution in F5 Big‑IP" by Mikhail Klyuchnikov.
- This vulnerability was initially reported to security@liferay.com on 26-Feb-2022
- Vulnerability was considered a non-issue as "permission to edit templates should only be granted to trusted users"
- Retested the vulnerability on 18-Jan-2023 and noticed that:
- The Arbitrary File Read and SSRF vectors have been patched
- The RCE had been remediated by the HSQL patch for CVE-2022-41853
- Publically disclosed the vulnerability on 03-Jan-2024