CVE-2023-33945

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.

Published: May 24, 2023
Updated: May 9, 2024
CVE: CVE-2023-33945
GHSA: GHSA-g7vw-43xg-8m4h
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.3.1	7.4.3.18
liferay / digital_experience_platform	7.3-fix_pack_1	7.3-fix_pack_1.x
liferay / digital_experience_platform	7.3	7.3.x
liferay / digital_experience_platform	7.3-fix_pack_2	7.3-fix_pack_2.x
liferay / digital_experience_platform	7.4-update1	7.4-update1.x
liferay / digital_experience_platform	7.4	7.4.x
liferay / liferay_portal	7.3.1	7.4.3.17.x

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945

Vulnerability Database

289,697

CVE-2023-33945