GHSA-wgqm-qp44-cg6x

Source

https://github.com/advisories/GHSA-wgqm-qp44-cg6x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-wgqm-qp44-cg6x/GHSA-wgqm-qp44-cg6x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wgqm-qp44-cg6x

Aliases

BIT-liferay-2022-42128
CVE-2022-42128

Published

2022-11-15T12:00:16Z

Modified

2023-12-06T01:02:40.110369Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Incorrect Default Permissions in Liferay Portal

Details

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

Database specific

{
    "nvd_published_at": "2022-11-15T01:15:00Z",
    "github_reviewed_at": "2022-11-21T23:46:02Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-276"
    ]
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.1

Fixed

7.4.3.5

Affected versions

7.*

7.4.1

7.4.1-1

7.4.2

7.4.2-1

7.4.3.4

Database specific

{
    "last_known_affected_version_range": "<= 7.4.3.4"
}