CVE-2021-33325 : What You Need to Know

A vulnerability has been identified in the Portal Workflow module in Liferay Portal versions 7.3.2 and earlier, as well as Liferay DXP versions 7.0, 7.1, and 7.2. This vulnerability allows attackers with access to the database to obtain a user's password if workflow is enabled for user creation.

Understanding CVE-2021-33325

This section will provide insights into the nature and impact of the CVE.

What is CVE-2021-33325?

The Portal Workflow module in certain versions of Liferay Portal and Liferay DXP stores user passwords in clear text in the database when workflow is enabled for user creation.

The Impact of CVE-2021-33325

The vulnerability enables malicious actors who have access to the database to extract users' passwords, compromising their security and privacy.

Technical Details of CVE-2021-33325

In this section, we will explore the specific technical aspects of the CVE.

Vulnerability Description

The vulnerability arises due to the improper storage of user passwords in clear text in the database, facilitating unauthorized access to sensitive information.

Affected Systems and Versions

The affected systems include Liferay Portal versions 7.3.2 and earlier, as well as Liferay DXP versions 7.0, 7.1, and 7.2.

Exploitation Mechanism

Attackers with access to the database where the passwords are stored can exploit this vulnerability to retrieve user passwords.

Mitigation and Prevention

This section outlines steps to mitigate the risk associated with CVE-2021-33325.

Immediate Steps to Take

Users should consider changing their passwords and administrators should disable workflow if not essential for user creation.

Long-Term Security Practices

Implementing strong password policies and encryption protocols can enhance overall security posture.

Patching and Updates

Users are advised to apply the latest fix packs provided by Liferay to address this vulnerability.