CVE-2024-25606: 
Java vulnerability analysis and mitigation

CVE-2024-25606 is an XML External Entity (XXE) vulnerability discovered in Liferay Portal versions 7.2.0 through 7.4.3.7 and Liferay DXP versions 7.4 (before update 4), 7.3 (before update 12), 7.2 (before fix pack 20), and older unsupported versions. The vulnerability was disclosed on February 20, 2024, and affects the Java2WsddTask.format method ([Liferay Advisory](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/cve-2024-25606)).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference). It received a CVSS v3.1 base score of 8.7 HIGH (NIST: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H) and 8.0 HIGH from Liferay Inc. (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability specifically affects the Java2WsddTask._format method in the application (NVD).

The vulnerability allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources through the affected component. The high severity rating indicates significant potential impact on system confidentiality and availability (Liferay Advisory).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.8, Liferay DXP 7.4 update 4, Liferay DXP 7.3 update 12, and Liferay DXP 7.2 fix pack 20. Users are advised to upgrade to these versions to mitigate the vulnerability (Liferay Advisory).