CVE-2025-43768
📋 TL;DR
This vulnerability allows authenticated users without specific permissions to access sensitive information of admin users via JSONWS APIs in Liferay Portal and DXP. It affects Liferay Portal 7.4.0-7.4.3.131 and multiple Liferay DXP versions from 2024.Q1 through 2024.Q4. The issue stems from improper authorization checks in JSONWS endpoints.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive admin user data including personal information, credentials, or configuration details, potentially leading to privilege escalation or further system compromise.
Likely Case
Authenticated low-privilege users accessing admin user profiles, contact information, or other sensitive user data they shouldn't have permission to view.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users within controlled environments.
🎯 Exploit Status
Exploitation requires authenticated access but no special permissions; involves calling specific JSONWS APIs
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.132+; Liferay DXP 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.16+, and 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768
Restart Required: Yes
Instructions:
1. Download appropriate fix pack from Liferay Customer Portal. 2. Backup current installation. 3. Apply fix pack following Liferay documentation. 4. Restart application server. 5. Verify fix by testing JSONWS API access controls.
🔧 Temporary Workarounds
Restrict JSONWS API Access
allConfigure web application firewall or reverse proxy to restrict access to JSONWS endpoints
Implement Network Segmentation
allIsolate Liferay instances from untrusted networks and limit access to authenticated users only
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual JSONWS API calls
- Disable or restrict JSONWS APIs for non-admin users through custom portal-ext.properties configuration
🔍 How to Verify
Check if Vulnerable:
Test if authenticated non-admin users can access admin user data via JSONWS APIs (e.g., /api/jsonws/user/get-user-by-id)Check Version:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
After patching, verify that non-admin users receive authorization errors when attempting to access admin user data via JSONWS APIs📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to JSONWS endpoints
- Multiple failed authorization attempts for admin user data access
Network Indicators:
- Unusual patterns of requests to /api/jsonws/user/* endpoints from non-admin accounts
SIEM Query:
source="liferay" AND (uri_path="/api/jsonws/user/*" AND user_role!="admin")