Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oZmZ4LXIyODItdzJnOc4AAv3t

Path Traversal in Liferay Portal

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Permalink: https://github.com/advisories/GHSA-hffx-r282-w2g9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZmZ4LXIyODItdzJnOc4AAv3t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-hffx-r282-w2g9, CVE-2022-42123
References: Blast Radius: 11.4

Affected Packages

maven:com.liferay.portal:release.portal.bom
Dependent packages: 5
Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.3.3, < 7.4.3.19
Fixed in: 7.4.3.19
All affected versions: 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2