First published: Tue Nov 15 2022(Updated: )
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update1 | |
Liferay Digital Experience Platform | =7.4-update34 | |
Liferay Liferay Portal | >=7.4.3.5<7.4.3.36 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-42125.
The severity of CVE-2022-42125 is high with a CVSS score of 7.5.
Liferay Portal versions 7.4.3.5 through 7.4.3.35 and Liferay DXP versions 7.4 update 1 through update 34 are affected by CVE-2022-42125.
CVE-2022-42125 allows attackers to create or overwrite existing files on the filesystem by deploying a malicious plugin/module using the unzip function in Liferay Portal and Liferay DXP.
Yes, a fix is available for CVE-2022-42125. It is recommended to update to a version of Liferay Portal or Liferay DXP that is not affected by this vulnerability.