CVE-2022-42126 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.3.5 <7.4.3.48

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00178 pctl0.39671

Details

Missing permissions check in Liferay Portal The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2022-11-21T23:47:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-642h-mx8q-47p2/GHSA-642h-mx8q-47p2.json
CWE IDs: ["CWE-280", "CWE-284"]
Alternative ID: GHSA-642h-mx8q-47p2
Finding: F159
Auto approve: 1