Vulnerability Description
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Liferay Portal | <= 6.0.6 |
Related Weaknesses (CWE)
References
- https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-fromExploitThird Party Advisory
- https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/ExploitThird Party Advisory
- https://www.liferay.com/downloads-communityProductRelease Notes
- https://www.youtube.com/watch?v=DjMEfQW3bf0Exploit
- https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-fromExploitThird Party Advisory
- https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/ExploitThird Party Advisory
- https://www.liferay.com/downloads-communityProductRelease Notes
- https://www.youtube.com/watch?v=DjMEfQW3bf0Exploit
FAQ
What is CVE-2019-16891?
CVE-2019-16891 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
How severe is CVE-2019-16891?
CVE-2019-16891 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-16891?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Liferay Portal.