First published: Tue Nov 15 2022(Updated: )
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.3 | |
Liferay Digital Experience Platform | =7.4 | |
Liferay Liferay Portal | >=7.3.3<7.4.3.19 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-42123 is high with a value of 7.5.
CVE-2022-42123 affects Liferay Digital Experience Platform versions 7.3 and 7.4, and Liferay Portal versions 7.3.3 to 7.4.3.18.
CVE-2022-42123 allows attackers to create or overwrite existing files on the filesystem through the installation of a malicious Elasticsearch Sidecar plugin.
Yes, the fix for CVE-2022-42123 is to update Liferay Digital Experience Platform to version 7.3 update 6 or 7.4 update 19, and Liferay Portal to version 7.4.3.19.
More information about CVE-2022-42123 can be found at the following references: [http://liferay.com](http://liferay.com), [https://issues.liferay.com/browse/LPE-17518](https://issues.liferay.com/browse/LPE-17518), [https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123).