Liferay Portal Default Password Hashing Algorithm Vulnerability
CVE-2024-25607
7.5HIGH
What is CVE-2024-25607?
A vulnerability exists in Liferay Portal and Liferay DXP due to the use of a default password hashing algorithm, PBKDF2-HMAC-SHA1, which employs a low work factor. This configuration allows attackers to effectively crack password hashes, compromising the security of user accounts. The issue affects Liferay Portal versions 7.2.0 through 7.4.3.15, as well as older unsupported versions, and specific updates of Liferay DXP. Organizations using these affected versions should prioritize upgrading to the latest versions or applying the necessary patches to enhance password security and protect against unauthorized access.
Affected Version(s)
DXP 7.4.13 <= 7.4.13.u15
DXP 7.3.10 <= 7.3.10-dxp-3
DXP 7.2.10 <= 7.2.10-dxp-16