CVE-2025-3594

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter.

CVSS

No CVSS.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3594

Configurations

No configuration.

History

17 Jun 2025, 20:50

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de path traversal con la descarga e instalación de Xuggler en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.4 GA, 7.3 GA a través de la actualización 34, y versiones anteriores no compatibles permite a atacantes remotos (1) agregar archivos a ubicaciones arbitrarias en el servidor y (2) descargar y ejecutar archivos arbitrarios desde el servidor de descarga a través del parámetro `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName`.

16 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-16 15:15

Updated : 2025-06-17 20:50

NVD link : CVE-2025-3594

Mitre link : CVE-2025-3594

CVE.ORG link : CVE-2025-3594

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-3594", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-16T15:15:24.257", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3594", "source": "security@liferay.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter."}, {"lang": "es", "value": "La vulnerabilidad de path traversal con la descarga e instalaci\u00f3n de Xuggler en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.4 GA, 7.3 GA a trav\u00e9s de la actualizaci\u00f3n 34, y versiones anteriores no compatibles permite a atacantes remotos (1) agregar archivos a ubicaciones arbitrarias en el servidor y (2) descargar y ejecutar archivos arbitrarios desde el servidor de descarga a trav\u00e9s del par\u00e1metro `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName`."}], "lastModified": "2025-06-17T20:50:23.507", "sourceIdentifier": "security@liferay.com"}