CVE-2021-33322 : Vulnerability Insights and Analysis
CVE-2021-33322 allows remote attackers to change a user's password through old password reset token in Liferay Portal & DXP. Learn about the impact, affected versions & mitigation steps.
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
Understanding CVE-2021-33322
This CVE highlights a vulnerability in Liferay Portal and Liferay DXP versions that can be exploited by remote attackers to change a user's password using an old password reset token.
What is CVE-2021-33322?
CVE-2021-33322 is a security vulnerability in Liferay Portal and Liferay DXP versions that fail to invalidate password reset tokens after a user changes their password, potentially enabling unauthorized password changes by attackers.
The Impact of CVE-2021-33322
The impact of this CVE is significant as it allows remote attackers to exploit the system's failure to invalidate old password reset tokens, leading to unauthorized password changes and potential account compromise.
Technical Details of CVE-2021-33322
This section will delve into the specifics of the vulnerability, including its description, affected systems, versions, and exploitation mechanism.
Vulnerability Description
The vulnerability in Liferay Portal and Liferay DXP versions allows remote attackers to change a user's password via an old password reset token that is not invalidated after a password change.
Affected Systems and Versions
Liferay Portal versions 7.3.0 and earlier, and Liferay DXP versions 7.0 (before fix pack 96), 7.1 (before fix pack 18), and 7.2 (before fix pack 5) are affected by this security flaw.
Exploitation Mechanism
Remote attackers can exploit this vulnerability by utilizing old password reset tokens that are still valid even after a user has changed their password, enabling them to alter the user's password.
Mitigation and Prevention
To mitigate the risks associated with CVE-2021-33322, immediate steps should be taken as well as the adoption of long-term security practices and timely patching.
Immediate Steps to Take
Users and administrators should reset their passwords and advise users to do the same, ensuring that all password reset tokens are synchronized and invalidated after each password change.
Long-Term Security Practices
Implementing multi-factor authentication, regular password updates, and security awareness training can enhance overall security posture and reduce the risk of similar attacks.
Patching and Updates
Users should apply the necessary patches provided by Liferay for Liferay Portal and Liferay DXP to address the vulnerability and prevent potential exploitation.