CVE-2020-15839 : Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the siz

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.

Published 2020-09-22 18:15:24

Updated 2020-09-30 15:29:57

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Threat overview for CVE-2020-15839

Top countries where our scanners detected CVE-2020-15839

Top open port discovered on systems with this issue 80

IPs affected by CVE-2020-15839 420

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2020-15839!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-15839

Probability of exploitation activity in the next 30 days: 0.23%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-15839

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-15839

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-15839

https://portal.liferay.dev/learn/security/known-vulnerabilities

Known Vulnerabilities
Vendor Advisory

CVEs referencing this url
https://issues.liferay.com/browse/LPE-17055

[LPE-17055] LSV-697: Trying to upload very large files with a multipart/formdata request can leave server without memory space - Liferay Issues
Vendor Advisory
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928

CST-7317 DoS vulnerability with multipart/form-data requests (CVE-2020-15839)
Vendor Advisory
https://issues.liferay.com/browse/LPE-17029

[LPE-17029] LSV-697: DoS vulnerability with multipart/form-data requests - Liferay Issues
Vendor Advisory

Products affected by CVE-2020-15839

Liferay » Liferay Portal
Versions before (<) 7.3.3
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1
cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 1
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 10
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 11
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 12
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 13
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 14
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 15
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 16
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 17
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 2
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 3
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 4
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 5
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 6
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 7
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 8
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update Fix Pack 9
cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1 Update SP1
cpe:2.3:a:liferay:digital_experience_platform:7.1:sp1:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2 Update Fix Pack 1
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2 Update Fix Pack 2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2 Update Fix Pack 3
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2 Update Fix Pack 4
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2 Update Fix Pack 5
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*
Matching versions

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!