CVE-2022-42128: Incorrect Default Permissions

November 15, 2022 (updated November 21, 2022)

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

References

liferay.com/
github.com/advisories/GHSA-wgqm-qp44-cg6x
issues.liferay.com/browse/LPE-17595
nvd.nist.gov/vuln/detail/CVE-2022-42128
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128

Code Behaviors & Features

Detect and mitigate CVE-2022-42128 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →