Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

https://issues.liferay.com/browse/LPE-17518

Related Vulnerabilities

CVE-2019-10306 Vulnerability in maven package org.jenkins-ci.plugins:ontrack

CVE-2010-1244 Vulnerability in maven package org.apache.activemq:activemq-web

CVE-2019-10392 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2020-2228 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-skin-resources

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory