Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17593

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126

Related Vulnerabilities

CVE-2019-1003010 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2018-1000195 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-9487 Vulnerability in maven package org.apache.nifi:nifi-web-security

CVE-2020-2091 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2016-7191 Vulnerability in npm package passport-azure-ad

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory NVD-CWE-noinfo