CVE-2022-42126

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

CVSS v3.0 4.3 MEDIUM

4.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126	Vendor Advisory
https://issues.liferay.com/browse/LPE-17593	Vendor Advisory
http://liferay.com	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform:7.3:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.4:update1::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.4:-::::::
	cpe:2.3:a:liferay:liferay_portal::::::::

Information

Published : 2022-11-14 17:15

Updated : 2022-11-18 08:55

NVD link : CVE-2022-42126

Mitre link : CVE-2022-42126

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

liferay

liferay_portal
digital_experience_platform

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126", "name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://issues.liferay.com/browse/LPE-17593", "name": "https://issues.liferay.com/browse/LPE-17593", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "http://liferay.com", "name": "http://liferay.com", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-42126", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}}, "publishedDate": "2022-11-15T01:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.4.3.29", "versionStartIncluding": "7.3.5"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-11-18T16:55Z"}