GHSA-hffx-r282-w2g9

Source

https://github.com/advisories/GHSA-hffx-r282-w2g9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hffx-r282-w2g9/GHSA-hffx-r282-w2g9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hffx-r282-w2g9

Aliases

Published

2022-11-15T12:00:16Z

Modified

2023-12-06T00:47:37.233036Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Path Traversal in Liferay Portal

Details

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Database specific

{
    "nvd_published_at": "2022-11-15T01:15:00Z",
    "github_reviewed_at": "2022-11-21T23:50:32Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.3

Fixed

7.4.3.19

Affected versions

7.*

7.3.3

7.3.3-1

7.3.4

7.3.5

7.3.6

7.3.7

7.4.0

7.4.1

7.4.1-1

7.4.2

7.4.2-1

7.4.3.4

7.4.3.5

7.4.3.6

7.4.3.7

7.4.3.8

7.4.3.9

7.4.3.10

7.4.3.11

7.4.3.12

7.4.3.13

7.4.3.14

7.4.3.15

7.4.3.16

7.4.3.17

7.4.3.18