CVE-2021-38268: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-38268 affects the Dynamic Data Mapping module in Liferay Portal versions 7.0.0 through 7.3.6, and Liferay DXP versions 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10, and 7.3 before fix pack 2. The vulnerability was disclosed on March 2, 2022, and involves incorrect default permission settings that could allow unauthorized access (NVD, Liferay Advisory).

The vulnerability stems from incorrect default permission settings in the Dynamic Data Mapping module, which allows remote authenticated users with the site member role to add and duplicate forms through both the user interface and API. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on integrity (NVD).

The vulnerability allows remote authenticated users with site member roles to perform unauthorized actions including adding and duplicating forms. This could potentially lead to unauthorized content creation and modification within the affected Liferay installations (NVD).

The vulnerability has been fixed in Liferay Portal version 7.3.7 and through specific fix packs for different versions: fix pack 101 for DXP 7.0, fix pack 21 for DXP 7.1, fix pack 10 for DXP 7.2, and fix pack 2 for DXP 7.3. For Liferay Portal 7.0 and 7.1, users are recommended to upgrade to Liferay Portal 7.3 as no direct fixes are available for these versions (Liferay Advisory).