A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
References
| Link | Resource |
|---|---|
| http://liferay.com | Vendor Advisory |
| https://issues.liferay.com/browse/LPE-17518 | Vendor Advisory |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Nov 2022, 15:50
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| First Time |
Liferay
Liferay liferay Portal Liferay digital Experience Platform |
|
| CPE | cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* |
|
| References | (MISC) https://issues.liferay.com/browse/LPE-17518 - Vendor Advisory | |
| References | (MISC) http://liferay.com - Vendor Advisory | |
| References | (MISC) https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123 - Vendor Advisory | |
| CWE | CWE-22 |
15 Nov 2022, 01:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-11-15 01:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-42123
Mitre link : CVE-2022-42123
CVE.ORG link : CVE-2022-42123
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')