CVE-2022-42123

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Published: Nov 15, 2022
Updated: May 9, 2024
CVE: CVE-2022-42123
GHSA: GHSA-hffx-r282-w2g9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
liferay / digital_experience_platform	7.3	7.3.x
liferay / liferay_portal	7.3.3	7.4.3.19
liferay / digital_experience_platform	7.4	7.4.x
com.liferay.portal / release.portal.bom	7.3.3	7.4.3.19

http://liferay.com
https://issues.liferay.com/browse/LPE-17518
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Vulnerability Database

289,784

CVE-2022-42123