CVE-2019-16891

CVSS V2 High 7.5 CVSS V3 High 8.8
Description
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
Overview
  • CVE ID
  • CVE-2019-16891
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2019-10-04T14:15:11
  • Last Modified Date
  • 2023-02-24T00:31:58
Weakness Enumerations
CWE URL
CWE-502 http://cwe.mitre.org/data/definitions/502.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:* 1 OR 6.0.6
cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.1:ga2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.2:ga3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.1.3:ga4:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:alpha1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:beta1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:beta2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:beta3:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:m2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:rc1:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:rc2:*:*:community:*:*:* 1 OR
cpe:2.3:a:liferay:liferay_portal:7.2.0:rc3:*:*:community:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 8.8
  • Base Severity
  • HIGH
  • Exploitability Score
  • 2.8
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from
https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/ Exploit Third Party Advisory
https://www.liferay.com/downloads-community Product Release Notes
https://www.youtube.com/watch?v=DjMEfQW3bf0 Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2019-16891
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16891
History
Created Old Value New Value Data Type Notes
2022-05-10 17:02:12 Added to TrackCVE
2022-12-04 03:48:18 2019-10-04T14:15Z 2019-10-04T14:15:11 CVE Published Date updated
2022-12-04 03:48:18 2019-10-10T20:13:13 CVE Modified Date updated
2022-12-04 03:48:18 Analyzed Vulnerability Status updated
2022-12-21 19:09:21 2022-12-21T18:56:34 CVE Modified Date updated
2022-12-21 19:09:21 AV:N/AC:L/Au:S/C:P/I:P/A:P AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS V2 vector_string updated
2022-12-21 19:09:21 SINGLE NONE CVSS V2 authentication updated
2022-12-21 19:09:21 6.5 7.5 CVSS V2 baseScore updated
2022-12-21 19:09:21 MEDIUM HIGH CVSS V2 baseSeverity updated
2022-12-21 19:09:21 8 10 CVSS V2 exploitabilityScore updated
2022-12-27 23:09:26 2022-12-27T22:15:11 CVE Modified Date updated
2022-12-27 23:09:26 Analyzed Modified Vulnerability Status updated
2022-12-27 23:09:26 References updated
2022-12-28 12:09:16 Modified Undergoing Analysis Vulnerability Status updated
2023-02-24 01:09:00 2023-02-24T00:31:58 CVE Modified Date updated
2023-02-24 01:09:00 Undergoing Analysis Analyzed Vulnerability Status updated