Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2022-42123 Vulnerability in maven package com.liferay:com.liferay.portal.search.elasticsearch7.impl

Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17518

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Related Vulnerabilities

CVE-2013-2186 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2022-42127 Vulnerability in maven package com.liferay:com.liferay.friendly.url.web

CVE-2015-1833 Vulnerability in maven package org.apache.jackrabbit:jackrabbit-webdav

CVE-2018-14042 Vulnerability in npm package bootstrap

CVE-2021-21613 Vulnerability in maven package io.jenkins.plugins:tics

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory