Lucene search

GoogleOSV:BIT-LIFERAY-2022-42125

HistoryJan 31, 2024 - 3:20 p.m.

BIT-liferay-2022-42125

2024-01-3115:20:25

Google

osv.dev

zip slip

liferay portal

liferay dxp

fileutil.unzip

vulnerability

filesystem

malicious plugin

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

45.1%

JSON

Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.

References

liferay.com

issues.liferay.com/browse/LPE-17517

portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

45.1%

JSON

Related for OSV:BIT-LIFERAY-2022-42125