CVE-2022-28981 – com.liferay:com.liferay.headless.discovery.web

Package

Manager: maven
Name: com.liferay:com.liferay.headless.discovery.web
Vulnerable Version: >=0 <4.0.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00226 pctl0.45327

Details

Liferay Portal Path Traversal Vulnerability via the Hypermedia REST APIs Module Path traversal vulnerability in the Hypermedia REST APIs module before 4.0.12 from Liferay Portal (7.4.0 through 7.4.2) allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.

Metadata

Created: 2022-09-23T00:00:46Z
Modified: 2025-07-16T15:03:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-5j86-vmpx-42pc/GHSA-5j86-vmpx-42pc.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-5j86-vmpx-42pc
Finding: F063
Auto approve: 1