Vulnerability Details : CVE-2020-15842
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
Vulnerability category: Execute code
Products affected by CVE-2020-15842
- cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\+:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*
- cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*
Threat overview for CVE-2020-15842
Top countries where our scanners detected CVE-2020-15842
Top open port discovered on systems with this issue
80
IPs affected by CVE-2020-15842 550
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-15842!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-15842
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15842
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
MITRE | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2020-15842
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15842
-
https://issues.liferay.com/browse/LPE-16963
[LPE-16963] Java deserialization vulnerability in clustered setup - Liferay IssuesIssue Tracking;Vendor Advisory
-
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427
CST-7213 Java deserialization vulnerability in clustered setupVendor Advisory
Jump to