CVE-2022-42128

2022-11-1501:15:13

CWE-276

[email protected]

web.nvd.nist.gov

cve-2022-42128

hypermedia

rest apis

liferay portal

liferay dxp

security

vulnerability

api

remote attack

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.4%

JSON

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

Affected configurations

NVD

Node

liferaydigital_experience_platformMatch7.4-

liferayliferay_portalRange7.4.1–7.4.3.5

CPENameOperatorVersion
liferay:digital_experience_platformliferay digital experience platformeq7.4
liferay:liferay_portalliferay liferay portallt7.4.3.5