CVE-2022-42126

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Published: Nov 15, 2022
Updated: May 10, 2024
CVE: CVE-2022-42126
GHSA: GHSA-642h-mx8q-47p2
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-280

Affected Software
References

Software	From	Fixed in
liferay / digital_experience_platform	7.3	7.3.x
liferay / digital_experience_platform	7.4-update1	7.4-update1.x
liferay / digital_experience_platform	7.4	7.4.x
liferay / liferay_portal	7.3.5	7.4.3.29
com.liferay.portal / release.portal.bom	7.3.5	7.4.3.48

http://liferay.com
https://issues.liferay.com/browse/LPE-17593
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126

Vulnerability Database

289,784

CVE-2022-42126