CVE-2023-33945

Source
https://cve.org/CVERecord?id=CVE-2023-33945
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33945.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-33945
Aliases
Published
2023-05-24T16:15:09.760Z
Modified
2026-07-08T06:36:33.769851003Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.3:update3:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*"
            ],
            "vendor_product": "liferay:digital_experience_platform",
            "extracted_events": [
                {
                    "introduced": "7.3-update1"
                },
                {
                    "last_affected": "7.3-update1"
                },
                {
                    "introduced": "7.3-update2"
                },
                {
                    "last_affected": "7.3-update2"
                },
                {
                    "introduced": "7.3-update3"
                },
                {
                    "last_affected": "7.3-update3"
                },
                {
                    "introduced": "7.3-update4"
                },
                {
                    "last_affected": "7.3-update4"
                },
                {
                    "introduced": "7.3-update5"
                },
                {
                    "last_affected": "7.3-update5"
                },
                {
                    "introduced": "7.4-update1"
                },
                {
                    "last_affected": "7.4-update1"
                },
                {
                    "introduced": "7.4-update10"
                },
                {
                    "last_affected": "7.4-update10"
                },
                {
                    "introduced": "7.4-update11"
                },
                {
                    "last_affected": "7.4-update11"
                },
                {
                    "introduced": "7.4-update12"
                },
                {
                    "last_affected": "7.4-update12"
                },
                {
                    "introduced": "7.4-update13"
                },
                {
                    "last_affected": "7.4-update13"
                },
                {
                    "introduced": "7.4-update14"
                },
                {
                    "last_affected": "7.4-update14"
                },
                {
                    "introduced": "7.4-update15"
                },
                {
                    "last_affected": "7.4-update15"
                },
                {
                    "introduced": "7.4-update16"
                },
                {
                    "last_affected": "7.4-update16"
                },
                {
                    "introduced": "7.4-update17"
                },
                {
                    "last_affected": "7.4-update17"
                },
                {
                    "introduced": "7.4-update2"
                },
                {
                    "last_affected": "7.4-update2"
                },
                {
                    "introduced": "7.4-update3"
                },
                {
                    "last_affected": "7.4-update3"
                },
                {
                    "introduced": "7.4-update4"
                },
                {
                    "last_affected": "7.4-update4"
                },
                {
                    "introduced": "7.4-update5"
                },
                {
                    "last_affected": "7.4-update5"
                },
                {
                    "introduced": "7.4-update6"
                },
                {
                    "last_affected": "7.4-update6"
                },
                {
                    "introduced": "7.4-update7"
                },
                {
                    "last_affected": "7.4-update7"
                },
                {
                    "introduced": "7.4-update8"
                },
                {
                    "last_affected": "7.4-update8"
                },
                {
                    "introduced": "7.4-update9"
                },
                {
                    "last_affected": "7.4-update9"
                }
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type
GIT
Repo
https://github.com/liferay/liferay-portal
Events
Database specific
{
    "cpe": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.3.1"
        },
        {
            "last_affected": "7.3.7"
        },
        {
            "introduced": "7.4.0"
        },
        {
            "last_affected": "7.4.3.17"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

7.*
7.3.1-ga2
7.3.2-ga3
7.3.3-ga4
7.3.4-ga5
7.3.6-ga7
7.3.7-ga8
7.4.0-ga1
7.4.1-ga2
7.4.2-ga3
7.4.3.17-ga17
7.4.3.4-ga4
7.4.3.5-ga5
7.4.3.6-ga6
7.4.3.7-ga7
Other
test-fix-pack-base-7310

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33945.json"