CVE-2022-42128 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.4.1 <7.4.3.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00179 pctl0.39777

Details

Incorrect Default Permissions in Liferay Portal The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2022-11-21T23:46:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-wgqm-qp44-cg6x/GHSA-wgqm-qp44-cg6x.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-wgqm-qp44-cg6x
Finding: F159
Auto approve: 1