CVE-2022-42125: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 15, 2022 (updated November 21, 2022)

Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.

References

liferay.com/
github.com/advisories/GHSA-g8hp-rc67-jf96
issues.liferay.com/browse/LPE-17517
nvd.nist.gov/vuln/detail/CVE-2022-42125
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125

Detect and mitigate CVE-2022-42125 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →