CVE-2021-33321 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-33321?

CVE-2021-33321 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to enumerate user email addresses through Liferay's forgot password functionality due to an insecure default configuration. Affected systems include Liferay Portal 6.2.3 through 7.3.2 and Liferay DXP before 7.3.

📋 TL;DR

This vulnerability allows remote attackers to enumerate user email addresses through Liferay's forgot password functionality due to an insecure default configuration. Affected systems include Liferay Portal 6.2.3 through 7.3.2 and Liferay DXP before 7.3.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 6.2.3 through 7.3.2, Liferay DXP before 7.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists because the portal.property login.secure.forgot.password defaults to false instead of true.

📦 What is this software?

Dxp by Liferay

View all CVEs affecting Dxp →

Liferay Portal by Liferay

View all CVEs affecting Liferay Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate all user email addresses, enabling targeted phishing campaigns, credential stuffing attacks, or social engineering against specific individuals.

🟠

Likely Case

Attackers harvest valid email addresses for spam lists or targeted attacks against specific users.

🟢

If Mitigated

With proper configuration, the forgot password functionality returns generic messages that don't reveal whether an email address exists in the system.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing login portals.

🏢 Internal Only: MEDIUM - Internal attackers could still enumerate email addresses, but the impact is reduced compared to external exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply submit email addresses to the forgot password endpoint and observe whether the system confirms the email exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.3.3+, Liferay DXP 7.3+

Vendor Advisory: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055

Restart Required: Yes

Instructions:

1. Upgrade to Liferay Portal 7.3.3 or later, or Liferay DXP 7.3 or later. 2. Restart the application server. 3. Verify the login.secure.forgot.password property is set to true.

🔧 Temporary Workarounds

Configuration Change

all

Set login.secure.forgot.password=true in portal-ext.properties

echo 'login.secure.forgot.password=true' >> $LIFERAY_HOME/portal-ext.properties

🧯 If You Can't Patch

Implement the configuration workaround immediately
Consider implementing rate limiting or CAPTCHA on the forgot password endpoint

🔍 How to Verify

Check if Vulnerable:

Test the forgot password functionality - if it confirms whether an email exists in the system, you're vulnerable.

Check Version:

Check the Liferay version in Control Panel → Configuration → Server Administration → System Information

Verify Fix Applied:

Test the forgot password functionality - it should return a generic message regardless of whether the email exists.

📡 Detection & Monitoring

Log Indicators:

Multiple failed forgot password attempts for different email addresses
Unusual volume of requests to /c/portal/login/password

Network Indicators:

High volume of POST requests to forgot password endpoint
Pattern of sequential email address attempts

SIEM Query:

source="liferay.log" AND (uri_path="/c/portal/login/password" OR message="Forgot password") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-33321

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-640

Published: August 3, 2021

Last Updated: November 21, 2024

🔗 References

https://help.liferay.com/hc/en-us/articles/360050785632 Vendor Advisory
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055 Release Notes,Vendor Advisory
https://help.liferay.com/hc/en-us/articles/360050785632 Vendor Advisory
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33321, you might also want to check these: