CVE-2024-25146: 
Java vulnerability analysis and mitigation

CVE-2024-25146 is a vulnerability discovered in Liferay Portal and Liferay DXP that was disclosed on February 7, 2024. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.1 and older unsupported versions, as well as Liferay DXP 7.3 before service pack 3 and 7.2 before fix pack 18. This security issue allows remote attackers to discover the existence of sites by enumerating URLs when specific conditions are met (Liferay Advisory).

The vulnerability occurs when the system configuration has locale.prepend.friendly.url.style=2 and a custom 404 page is used. The core issue lies in the different responses returned by the system depending on whether a site does not exist or if the user does not have permission to access the site. This observable response discrepancy (CWE-203, CWE-204) allows attackers to enumerate and discover existing sites. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential disclosure of information about existing sites within the Liferay installation. Attackers can leverage the different system responses to determine whether specific sites exist, even if they don't have permission to access them. This information disclosure could be used as part of a larger reconnaissance effort (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal 7.4.2, Liferay DXP 7.3 service pack 3, and Liferay DXP 7.2 fix pack 18. Organizations using affected versions should upgrade to these patched versions to mitigate the vulnerability (Liferay Advisory).