CVE-2022-42125

Published: Nov 15, 2022Modified: Apr 30, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.

Affected (3)

Products: Liferay: Digital Experience Platform, Liferay Portal

2 products

Digital Experience Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 7.4 update1
Liferay Digital Experience Platform	Version 7.4 update34
Liferay Liferay Portal	From 7.4.3.5 to 7.4.3.36

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

http://liferay.com

Source: cve@mitre.org

Vendor Advisory

https://issues.liferay.com/browse/LPE-17517

Source: cve@mitre.org

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125

Source: cve@mitre.org

Vendor Advisory

http://liferay.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://issues.liferay.com/browse/LPE-17517

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.