CVE-2016-6517 Liferay CVE debrief

Who should care

Organizations running Liferay 5.1.0, especially internet-facing portals, application owners, platform administrators, and incident responders responsible for web application security.

Technical summary

The NVD record describes a path traversal flaw in Liferay 5.1.0 exposed through barebone.jsp. An attacker can supply %2E%2E in the minifierBundleDir parameter to traverse directories. The NVD vulnerability metadata classifies the issue as CWE-22 and rates it CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote, low-complexity exploitation with potentially severe confidentiality, integrity, and availability impact.

Defensive priority

Immediate

Recommended defensive actions

• Identify whether any Liferay 5.1.0 instances are still deployed, especially publicly reachable ones.
• Treat exposure of barebone.jsp and the minifierBundleDir parameter as a high-risk security finding and prioritize remediation.
• Follow vendor and upstream security guidance for Liferay and upgrade or replace affected deployments where possible.
• Restrict network access to administrative and application endpoints until remediation is complete.
• Review server and web logs for requests containing encoded traversal patterns such as %2E%2E targeting barebone.jsp.
• Validate web application controls that block path traversal sequences and ensure reverse proxy and WAF rules are in place where appropriate.

Evidence notes

This debrief is based on the supplied NVD record and referenced advisory pointers. The NVD metadata identifies Liferay 5.1.0 as vulnerable, classifies the weakness as CWE-22, and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE was published on 2017-01-23; the later 2026-05-13 modification date reflects database metadata updates, not the original vulnerability discovery date. The supplied references include Openwall oss-security postings and a SecurityFocus entry, but no vendor patch details were included in the corpus.

Official resources