medium
5.9
CWE
200
Advisory Published
Updated

CVE-2022-42132: Infoleak

First published: Tue Nov 15 2022(Updated: )

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Liferay 7.4 GA=7.0
Liferay 7.4 GA=7.0-fix_pack_1
Liferay 7.4 GA=7.0-fix_pack_10
Liferay 7.4 GA=7.0-fix_pack_100
Liferay 7.4 GA=7.0-fix_pack_11
Liferay 7.4 GA=7.0-fix_pack_12
Liferay 7.4 GA=7.0-fix_pack_13
Liferay 7.4 GA=7.0-fix_pack_14
Liferay 7.4 GA=7.0-fix_pack_15
Liferay 7.4 GA=7.0-fix_pack_16
Liferay 7.4 GA=7.0-fix_pack_17
Liferay 7.4 GA=7.0-fix_pack_18
Liferay 7.4 GA=7.0-fix_pack_19
Liferay 7.4 GA=7.0-fix_pack_2
Liferay 7.4 GA=7.0-fix_pack_20
Liferay 7.4 GA=7.0-fix_pack_21
Liferay 7.4 GA=7.0-fix_pack_22
Liferay 7.4 GA=7.0-fix_pack_23
Liferay 7.4 GA=7.0-fix_pack_24
Liferay 7.4 GA=7.0-fix_pack_25
Liferay 7.4 GA=7.0-fix_pack_26
Liferay 7.4 GA=7.0-fix_pack_27
Liferay 7.4 GA=7.0-fix_pack_28
Liferay 7.4 GA=7.0-fix_pack_29
Liferay 7.4 GA=7.0-fix_pack_3
Liferay 7.4 GA=7.0-fix_pack_30
Liferay 7.4 GA=7.0-fix_pack_31
Liferay 7.4 GA=7.0-fix_pack_32
Liferay 7.4 GA=7.0-fix_pack_33
Liferay 7.4 GA=7.0-fix_pack_34
Liferay 7.4 GA=7.0-fix_pack_35
Liferay 7.4 GA=7.0-fix_pack_36
Liferay 7.4 GA=7.0-fix_pack_37
Liferay 7.4 GA=7.0-fix_pack_38
Liferay 7.4 GA=7.0-fix_pack_39
Liferay 7.4 GA=7.0-fix_pack_4
Liferay 7.4 GA=7.0-fix_pack_40
Liferay 7.4 GA=7.0-fix_pack_41
Liferay 7.4 GA=7.0-fix_pack_42
Liferay 7.4 GA=7.0-fix_pack_43
Liferay 7.4 GA=7.0-fix_pack_44
Liferay 7.4 GA=7.0-fix_pack_45
Liferay 7.4 GA=7.0-fix_pack_46
Liferay 7.4 GA=7.0-fix_pack_47
Liferay 7.4 GA=7.0-fix_pack_48
Liferay 7.4 GA=7.0-fix_pack_49
Liferay 7.4 GA=7.0-fix_pack_5
Liferay 7.4 GA=7.0-fix_pack_50
Liferay 7.4 GA=7.0-fix_pack_51
Liferay 7.4 GA=7.0-fix_pack_52
Liferay 7.4 GA=7.0-fix_pack_53
Liferay 7.4 GA=7.0-fix_pack_54
Liferay 7.4 GA=7.0-fix_pack_55
Liferay 7.4 GA=7.0-fix_pack_56
Liferay 7.4 GA=7.0-fix_pack_57
Liferay 7.4 GA=7.0-fix_pack_58
Liferay 7.4 GA=7.0-fix_pack_59
Liferay 7.4 GA=7.0-fix_pack_6
Liferay 7.4 GA=7.0-fix_pack_60
Liferay 7.4 GA=7.0-fix_pack_61
Liferay 7.4 GA=7.0-fix_pack_62
Liferay 7.4 GA=7.0-fix_pack_63
Liferay 7.4 GA=7.0-fix_pack_64
Liferay 7.4 GA=7.0-fix_pack_65
Liferay 7.4 GA=7.0-fix_pack_66
Liferay 7.4 GA=7.0-fix_pack_67
Liferay 7.4 GA=7.0-fix_pack_68
Liferay 7.4 GA=7.0-fix_pack_69
Liferay 7.4 GA=7.0-fix_pack_7
Liferay 7.4 GA=7.0-fix_pack_70
Liferay 7.4 GA=7.0-fix_pack_71
Liferay 7.4 GA=7.0-fix_pack_72
Liferay 7.4 GA=7.0-fix_pack_73
Liferay 7.4 GA=7.0-fix_pack_74
Liferay 7.4 GA=7.0-fix_pack_75
Liferay 7.4 GA=7.0-fix_pack_76
Liferay 7.4 GA=7.0-fix_pack_77
Liferay 7.4 GA=7.0-fix_pack_78
Liferay 7.4 GA=7.0-fix_pack_79
Liferay 7.4 GA=7.0-fix_pack_8
Liferay 7.4 GA=7.0-fix_pack_80
Liferay 7.4 GA=7.0-fix_pack_81
Liferay 7.4 GA=7.0-fix_pack_82
Liferay 7.4 GA=7.0-fix_pack_83
Liferay 7.4 GA=7.0-fix_pack_84
Liferay 7.4 GA=7.0-fix_pack_85
Liferay 7.4 GA=7.0-fix_pack_86
Liferay 7.4 GA=7.0-fix_pack_87
Liferay 7.4 GA=7.0-fix_pack_88
Liferay 7.4 GA=7.0-fix_pack_89
Liferay 7.4 GA=7.0-fix_pack_9
Liferay 7.4 GA=7.0-fix_pack_90
Liferay 7.4 GA=7.0-fix_pack_91
Liferay 7.4 GA=7.0-fix_pack_92
Liferay 7.4 GA=7.0-fix_pack_93
Liferay 7.4 GA=7.0-fix_pack_94
Liferay 7.4 GA=7.0-fix_pack_95
Liferay 7.4 GA=7.0-fix_pack_96
Liferay 7.4 GA=7.0-fix_pack_97
Liferay 7.4 GA=7.0-fix_pack_98
Liferay 7.4 GA=7.0-fix_pack_99
Liferay 7.4 GA=7.1
Liferay 7.4 GA=7.1-fix_pack_1
Liferay 7.4 GA=7.1-fix_pack_10
Liferay 7.4 GA=7.1-fix_pack_11
Liferay 7.4 GA=7.1-fix_pack_12
Liferay 7.4 GA=7.1-fix_pack_13
Liferay 7.4 GA=7.1-fix_pack_14
Liferay 7.4 GA=7.1-fix_pack_15
Liferay 7.4 GA=7.1-fix_pack_16
Liferay 7.4 GA=7.1-fix_pack_17
Liferay 7.4 GA=7.1-fix_pack_18
Liferay 7.4 GA=7.1-fix_pack_19
Liferay 7.4 GA=7.1-fix_pack_2
Liferay 7.4 GA=7.1-fix_pack_20
Liferay 7.4 GA=7.1-fix_pack_21
Liferay 7.4 GA=7.1-fix_pack_22
Liferay 7.4 GA=7.1-fix_pack_23
Liferay 7.4 GA=7.1-fix_pack_24
Liferay 7.4 GA=7.1-fix_pack_25
Liferay 7.4 GA=7.1-fix_pack_26
Liferay 7.4 GA=7.1-fix_pack_3
Liferay 7.4 GA=7.1-fix_pack_4
Liferay 7.4 GA=7.1-fix_pack_5
Liferay 7.4 GA=7.1-fix_pack_6
Liferay 7.4 GA=7.1-fix_pack_7
Liferay 7.4 GA=7.1-fix_pack_8
Liferay 7.4 GA=7.1-fix_pack_9
Liferay 7.4 GA=7.1-sp1
Liferay 7.4 GA=7.2
Liferay 7.4 GA=7.2-fix_pack_1
Liferay 7.4 GA=7.2-fix_pack_10
Liferay 7.4 GA=7.2-fix_pack_11
Liferay 7.4 GA=7.2-fix_pack_12
Liferay 7.4 GA=7.2-fix_pack_13
Liferay 7.4 GA=7.2-fix_pack_14
Liferay 7.4 GA=7.2-fix_pack_15
Liferay 7.4 GA=7.2-fix_pack_16
Liferay 7.4 GA=7.2-fix_pack_2
Liferay 7.4 GA=7.2-fix_pack_3
Liferay 7.4 GA=7.2-fix_pack_4
Liferay 7.4 GA=7.2-fix_pack_5
Liferay 7.4 GA=7.2-fix_pack_6
Liferay 7.4 GA=7.2-fix_pack_7
Liferay 7.4 GA=7.2-fix_pack_8
Liferay 7.4 GA=7.2-fix_pack_9
Liferay 7.4 GA=7.3
Liferay 7.4 GA=7.3-fix_pack_1
Liferay 7.4 GA=7.3-fix_pack_2
Liferay 7.4 GA=7.4
Liferay 7.4 GA>=7.0.0<7.4.3.5

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-42132?

    CVE-2022-42132 has been classified as a medium severity vulnerability due to the exposure of sensitive LDAP credentials in URLs.

  • How do I fix CVE-2022-42132?

    To fix CVE-2022-42132, upgrade to Liferay Portal versions 7.4.3.5 or later, or apply the appropriate fix packs for older versions.

  • What types of systems are affected by CVE-2022-42132?

    CVE-2022-42132 affects Liferay Portal versions from 7.0.0 through 7.4.3.4 and various fix packs of Liferay DXP.

  • What are the potential impacts of CVE-2022-42132?

    The potential impacts include unauthorized access to LDAP user credentials which may lead to further exploitation.

  • Is CVE-2022-42132 a remote attack vulnerability?

    Yes, CVE-2022-42132 can be exploited remotely if an attacker can access the affected system's URLs containing sensitive data.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203