Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17518

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Related Vulnerabilities

CVE-2020-2132 Vulnerability in maven package com.parasoft:environment-manager

CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-dao

CVE-2019-0231 Vulnerability in maven package org.apache.mina:mina-core

CVE-2020-1942 Vulnerability in maven package org.apache.nifi:nifi-web-security

CVE-2023-29520 Vulnerability in maven package org.xwiki.platform:xwiki-platform-localization-source-wiki

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory