CVE-2022-42126

Missing permissions check in Liferay Portal in maven/com.liferay.portal/release.portal.bom

Identifiers

GHSA-642h-mx8q-47p2, CVE-2022-42126

Package Slug

maven/com.liferay.portal/release.portal.bom

Vulnerability

Missing permissions check in Liferay Portal

Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Affected Versions

All versions starting from 7.3.5 up to 7.4.3.28

Solution

Upgrade to version 7.4.3.48 or above.

Last Modified

2022-11-22

source