フィードバックを送信
legacy-knowledge-base
公開されました Jun. 30, 2025

Liferay and CVE-2025-24813

投稿者

Daniel Martinez Cisneros

knowledge-article-header-disclaimer-how-to

knowledge-article-header-disclaimer

legacy-article

learn-legacy-article-disclaimer-text

Issue

  • Does Liferay DXP have the vulnerability CVE-2025-24813?

Environment

  • Liferay DXP
  • Quarterly Releases
  • 2025.Q1

Resolution

  • Liferay bundles and docker images are not affected due to the attribute readonly in DefaultServlet is true by default. To be exploitative readonly must be false. 
  • This vulnerability is related to Tomcat, not directly to Liferay DXP. Upgrading Tomcat to version 9.0.99 or higher mitigates the risk. Future Liferay DXP releases will include an updated Tomcat bundle and Docker image.
  • No patches related to this CVE will be released for existing Docker images or bundles from Liferay
  • As a workaround, manually upgrade Tomcat. For instructions, see Installing on Tomcat.

Additional Information

  • For more information on Tomcat vulnerabilities and how to address them, see Tomcat vulnerabilities.
  • Tomcat version will be updated on next bundles and docker images releases, reported on this LPD-51867

 

did-this-article-resolve-your-issue
legacy-knowledge-base
did-this-article-resolve-your-issue