CVE-2022-42123 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.3.3 <7.4.3.19

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00204 pctl0.42691

Details

Path Traversal in Liferay Portal A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2025-09-05T19:03:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hffx-r282-w2g9/GHSA-hffx-r282-w2g9.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-hffx-r282-w2g9
Finding: F063
Auto approve: 1