Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/47045?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47045?format=api", "vulnerability_id": "VCID-38vz-usgx-g7dv", "summary": "Liferay Portal defaults to a low work factor for the default password hashing algorithm\nThe default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.", "aliases": [ { "alias": "CVE-2024-25607" }, { "alias": "GHSA-43h9-p3j4-39hm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69043?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.kernel@38.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.kernel@38.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69054?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u16" }, { "url": "http://public2.vulnerablecode.io/api/packages/69017?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.14" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60857?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fqz-psdf-g7dm" }, { "vulnerability": "VCID-1h16-mptk-gke7" }, { "vulnerability": "VCID-266t-4gfq-duh4" }, { "vulnerability": "VCID-298n-mh47-3ygq" }, { "vulnerability": "VCID-38vz-usgx-g7dv" }, { "vulnerability": "VCID-4mcy-yw2p-v7bd" }, { "vulnerability": "VCID-7f43-u96s-qyeq" }, { "vulnerability": "VCID-7gqd-78yq-r3be" }, { "vulnerability": "VCID-7zhe-ztqw-gkhh" }, { "vulnerability": "VCID-a7z8-2fzy-2qee" }, { "vulnerability": "VCID-a93n-jcyj-s7cb" }, { "vulnerability": "VCID-b7h9-cxkj-hkc8" }, { "vulnerability": "VCID-cxnv-25bg-rubj" }, { "vulnerability": "VCID-e5c7-wsvb-dyfm" }, { "vulnerability": "VCID-ef5k-bdxm-xfer" }, { "vulnerability": "VCID-ggs5-4zac-vqa7" }, { "vulnerability": "VCID-gz3a-m337-s7dn" }, { "vulnerability": "VCID-h261-uqtv-yfek" }, { "vulnerability": "VCID-hhmu-vsj9-gudx" }, { "vulnerability": "VCID-hrnu-4t2j-9qba" }, { "vulnerability": "VCID-hw1d-gdcv-vkec" }, { "vulnerability": "VCID-k1u8-ur3y-zucd" }, { "vulnerability": "VCID-k6d6-hyep-pbac" }, { "vulnerability": "VCID-k7yh-fkj8-t3fx" }, { "vulnerability": "VCID-k9yt-aj7x-3bht" }, { "vulnerability": "VCID-menx-yu2z-xkeh" }, { "vulnerability": "VCID-mph8-zzjv-67av" }, { "vulnerability": "VCID-n6qs-hded-rydp" }, { "vulnerability": "VCID-p9am-1rhf-6bh2" }, { "vulnerability": "VCID-q7bs-639b-pken" }, { "vulnerability": "VCID-tqvb-a46r-jbf8" }, { "vulnerability": "VCID-uu3m-ef36-jqg7" }, { "vulnerability": "VCID-uug8-ap5n-r3g2" }, { "vulnerability": "VCID-x7ny-9pvm-77eh" }, { "vulnerability": "VCID-xa5h-2khm-efgj" }, { "vulnerability": "VCID-xe2v-j69t-d3h3" }, { "vulnerability": "VCID-xuaz-p5q4-8beh" }, { "vulnerability": "VCID-xwgk-d28b-rbgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/67365?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fqz-psdf-g7dm" }, { "vulnerability": "VCID-298n-mh47-3ygq" }, { "vulnerability": "VCID-38vz-usgx-g7dv" }, { "vulnerability": "VCID-42k1-vb9z-3qe7" }, { "vulnerability": "VCID-9hvg-h2ra-nbcc" }, { "vulnerability": "VCID-9yw4-52sc-rbbz" }, { "vulnerability": "VCID-a7z8-2fzy-2qee" }, { "vulnerability": "VCID-c3ym-wtv5-hfhr" }, { "vulnerability": "VCID-d8m3-apv8-zfe1" }, { "vulnerability": "VCID-e5c7-wsvb-dyfm" }, { "vulnerability": "VCID-ef5k-bdxm-xfer" }, { "vulnerability": "VCID-ggs5-4zac-vqa7" }, { "vulnerability": "VCID-gkn8-ehfa-3ugx" }, { "vulnerability": "VCID-hhmu-vsj9-gudx" }, { "vulnerability": "VCID-k9yt-aj7x-3bht" }, { "vulnerability": "VCID-menx-yu2z-xkeh" }, { "vulnerability": "VCID-tqvb-a46r-jbf8" }, { "vulnerability": "VCID-uu3m-ef36-jqg7" }, { "vulnerability": "VCID-xe2v-j69t-d3h3" }, { "vulnerability": "VCID-xv4h-g41b-c7c7" }, { "vulnerability": "VCID-xwgk-d28b-rbgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.0" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25607", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27414", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25607" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607", "reference_id": "CVE-2024-25607", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-20T13:27:04Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25607", "reference_id": "CVE-2024-25607", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25607" }, { "reference_url": "https://github.com/advisories/GHSA-43h9-p3j4-39hm", "reference_id": "GHSA-43h9-p3j4-39hm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-43h9-p3j4-39hm" } ], "weaknesses": [ { "cwe_id": 916, "name": "Use of Password Hash With Insufficient Computational Effort", "description": "The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-38vz-usgx-g7dv" }