CVE-2021-29053: Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow...
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.
Security readout for executives and security teams
Plain-English summary
CVE-2021-29053 is a SQL injection issue in specific Liferay versions. An authenticated remote user could cause the application to run arbitrary SQL through a vulnerable parameter. For executives, the concern is potential database confidentiality and integrity impact on affected Liferay deployments, especially where many users can log in.
Executive priority
Prioritize remediation for affected Liferay systems that are internet-facing, business-critical, or accessible to many authenticated users. SQL injection can affect sensitive data and application integrity, but the bundle does not confirm active exploitation.
Technical view
The CVE describes multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1. The classPKField parameter reaches CommerceChannelRelFinder.countByC_C and CommerceChannelRelFinder.findByC_C, allowing authenticated remote users to execute arbitrary SQL commands. No CVSS, CWE, or detailed exploit prerequisites are provided in the bundle.
Likely exposure
Exposure appears limited to Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1. The attacker must be authenticated remotely. The source bundle does not identify affected configurations beyond those products and versions.
Exploitation context
The bundle does not show CISA KEV listing or cite active exploitation. It only states that authenticated remote users can execute arbitrary SQL through the named parameter and finder methods. Treat internet-accessible or broadly user-accessible Liferay systems as higher priority.
Researcher notes
The record is sparse: no CVSS, CWE, exploit evidence, or detailed affected CPEs are included. The strongest facts are the affected Liferay versions, authenticated remote requirement, vulnerable classPKField parameter, and two CommerceChannelRelFinder methods.
Mitigation direction
Check Liferay’s advisory for the vendor-supported fix guidance.
Upgrade Liferay DXP 7.3 to fix pack 1 or later, if applicable.
Identify and retire any Liferay Portal 7.3.5 instances.
Restrict login access to affected systems until remediated.
Review database activity for suspicious authenticated application queries.
Validation and detection
Inventory all Liferay Portal and DXP deployments and versions.
Confirm whether Liferay DXP 7.3 is below fix pack 1.
Check whether Liferay Portal 7.3.5 is present.
Review application logs for unusual authenticated access patterns.
Verify vendor advisory status against deployed build numbers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Database behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 17, 2021, 10:41 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.