CVE-2022-42123

Published: Nov 15, 2022Modified: Sep 5, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Affected (3)

Products: Liferay: Digital Experience Platform, Liferay Portal

2 products

Digital Experience Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.4
Liferay Liferay Portal	From 7.3.3 to 7.4.3.19

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

http://liferay.com

Source: cve@mitre.org

Vendor Advisory

https://issues.liferay.com/browse/LPE-17518

Source: cve@mitre.org

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Source: cve@mitre.org

Vendor Advisory

http://liferay.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://issues.liferay.com/browse/LPE-17518

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.