CVE-2022-42123: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 15, 2022 (updated November 21, 2022)

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

References

github.com/advisories/GHSA-hffx-r282-w2g9
issues.liferay.com/browse/LPE-17518
nvd.nist.gov/vuln/detail/CVE-2022-42123
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Code Behaviors & Features

Detect and mitigate CVE-2022-42123 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →