CVE-2023-33945

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-33945

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33945.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33945

Aliases

Published

2023-05-24T16:15:09.760Z

Modified

2026-01-14T07:04:38.764589Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Last affected

0515646c8f638f202d107469cc147172fc7685de

Last affected

4ffdd7225ef4a5fd922703263a3006a741a4d8d0

Last affected

548f3899675d89749f92b7623d25e27d0c4691c7

Last affected

6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb

Last affected

75354f3482d7c5edb70f4cd72ed8664ce8079842

Last affected

77b773677e0fa17b1a869414ad66220245ba96a8

Introduced

ec84d86679146b84af526f96471a730c340dda78

Last affected

f147f938cdc74b0c0821cdb151fce8c378e0fdf5

Last affected

f193301b2848899b008d51513af62a3b3a9b7888

Affected versions

7.*

7.4.0-ga1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33945.json"