Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17518

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Related Vulnerabilities

CVE-2017-9804 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2023-32985 Vulnerability in maven package org.jenkins-ci.plugins:sidebar-link

CVE-2015-3191 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-login

CVE-2023-49396 Vulnerability in maven package com.jfinal:jfinal

CVE-2020-2309 Vulnerability in maven package org.csanchez.jenkins.plugins:kubernetes

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory