Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17518

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Related Vulnerabilities

CVE-2016-0760 Vulnerability in maven package org.apache.sentry:sentry-binding-hive

CVE-2016-9879 Vulnerability in maven package org.springframework.security:spring-security-web

CVE-2022-42468 Vulnerability in maven package org.apache.flume.flume-ng-sources:flume-jms-source

CVE-2023-24435 Vulnerability in maven package org.jenkins-ci.plugins:ghprb

CVE-2017-8045 Vulnerability in maven package org.springframework.amqp:spring-amqp

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory