CVE-2020-15840 : What You Need to Know

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

Understanding CVE-2020-15840

This CVE highlights a vulnerability in Liferay Portal versions that could allow bypassing of security measures using specific encoded URLs.

What is CVE-2020-15840?

The vulnerability in Liferay Portal versions allows malicious actors to bypass security controls by utilizing doubled encoded URLs.

The Impact of CVE-2020-15840

The exploitation of this vulnerability could lead to unauthorized access and potential security breaches within affected systems.

Technical Details of CVE-2020-15840

This section provides more in-depth technical insights into the CVE.

Vulnerability Description

The issue lies in the handling of the 'portlet.resource.id.banned.paths.regexp' property, enabling attackers to evade security restrictions through specially crafted URLs.

Affected Systems and Versions

Liferay Portal versions before 7.3.1
Liferay Portal 6.2 EE
Liferay DXP 7.2, 7.1, and 7.0

Exploitation Mechanism

By exploiting the vulnerability with doubled encoded URLs, threat actors can circumvent security controls and potentially gain unauthorized access.

Mitigation and Prevention

Protecting systems from CVE-2020-15840 requires immediate actions and long-term security practices.

Immediate Steps to Take

Update Liferay Portal to version 7.3.1 or newer to mitigate the vulnerability.
Monitor and restrict access to sensitive areas of the portal.

Long-Term Security Practices

Regularly review and update security configurations and policies.
Conduct security audits and penetration testing to identify and address vulnerabilities.

Patching and Updates

Apply security patches and updates provided by Liferay to ensure ongoing protection against known vulnerabilities.