CVE-2022-42126: Missing permissions check in Liferay Portal

November 15, 2022 (updated November 21, 2022)

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

References

liferay.com/
github.com/advisories/GHSA-642h-mx8q-47p2
issues.liferay.com/browse/LPE-17593
nvd.nist.gov/vuln/detail/CVE-2022-42126
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126

Code Behaviors & Features

Detect and mitigate CVE-2022-42126 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →