{"id":"CVE-2021-29052","details":"The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.","aliases":["GHSA-pr7v-qv65-rp9m"],"modified":"2026-04-10T04:31:53.542659Z","published":"2021-05-17T12:15:07.490Z","references":[{"type":"ADVISORY","url":"http://liferay.com"},{"type":"ADVISORY","url":"https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"b072f5df5544a28677824835b490ce8a867bf133"},{"last_affected":"f193301b2848899b008d51513af62a3b3a9b7888"}],"database_specific":{"versions":[{"introduced":"7.3.0"},{"last_affected":"7.3.5"}]}}],"versions":["7.3.0-ga1","7.3.1-ga2","7.3.2-ga3","7.3.3-ga4","7.3.4-ga5","7.3.5-ga6","test-fix-pack-base-7310"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29052.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.3-NA"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}