Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17518

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Related Vulnerabilities

CVE-2022-41230 Vulnerability in maven package org.jenkins-ci.plugins:build-publisher

CVE-2020-6452 Vulnerability in npm package electron

CVE-2020-2096 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-hook

CVE-2023-28682 Vulnerability in maven package org.jenkins-ci.plugins:perfpublisher

CVE-2020-1926 Vulnerability in maven package org.apache.hive:hive-service

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory