We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884.
The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell module and Groovy scripts, respectively, to execute any OS command on the Liferay Portal Server.
Environment
DXP 7.4
Resolution
Both of the CVE's (CVE-2020-28885 and CVE-2020-28884) describe intended behaviors consistent with permissions typically associated with an admin user.
Liferay maintains that these are not vulnerabilities since it is an expected feature that administrators are allowed to access and execute commands in Gogo Shell, as well as to run Groovy scripts. Therefore are not design flaws or Vulnerabilities.
They can both be safely ignored, or one might disable gogo shell and groovy scripts.
