Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

CVE-2022-42123

Related Vulnerabilities

WordPress 4.6.x Multiple Vulnerabilities (4.6 - 4.6.3)

WordPress Plugin DX Share Selection Cross-Site Request Forgery (1.4)

WordPress Plugin Contextual Related Posts Cross-Site Request Forgery (1.8.6)

Liferay Portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2022-28981)

WordPress Plugin WPtouch Arbitrary File Upload (3.4.6)

Severity

High

Classification

CVE-2022-42123 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities