Description
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
Remediation
References
http://liferay.com
https://issues.liferay.com/browse/LPE-17593
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126
Related Vulnerabilities
CVE-2019-10174 Vulnerability in maven package org.infinispan:infinispan-commons
CVE-2023-25157 Vulnerability in maven package org.geoserver.community:gs-jdbcconfig
CVE-2019-1354 Vulnerability in npm package nodegit
CVE-2020-2238 Vulnerability in maven package org.jenkins-ci.plugins:git-parameter
CVE-2022-39135 Vulnerability in maven package org.apache.calcite:calcite-core