Home

CVE-2022-42132

Description

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.328

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are fixed in Liferay - release.dxp.bom 7.3.10Windows
Multiple vulnerabilities are fixed in Liferay - release.dxp.bom 7.2.10Windows
Vulnerabilities CVE-2022-42110,CVE-2022-42118,CVE-2022-42132,CVE-2022-42121 are fixed in Liferay - release.dxp.bom 7.1.10Windows
Vulnerabilities CVE-2022-42132 are fixed in Liferay - release.portal.bom 7.4.3.5Windows
Vulnerabilities CVE-2022-42132 are affected in Liferay - release.dxp.bom 7.0.10Windows
Vulnerabilities CVE-2022-42132 are fixed in Liferay - com.liferay.portal.settings.authentication.ldap.web 5.0.13Windows
Multiple vulnerabilities are fixed in Liferay - release.dxp.bom for Linux 7.3.10Linux
Multiple vulnerabilities are fixed in Liferay - release.dxp.bom for Linux 7.2.10Linux
Vulnerabilities CVE-2022-42110,CVE-2022-42118,CVE-2022-42132,CVE-2022-42121 are fixed in Liferay - release.dxp.bom for Linux 7.1.10Linux
Vulnerabilities CVE-2022-42132 are fixed in Liferay - release.portal.bom for Linux 7.4.3.5Linux
Vulnerabilities CVE-2022-42132 are affected in Liferay - release.dxp.bom for Linux 7.0.10Linux
Vulnerabilities CVE-2022-42132 are fixed in Liferay - com.liferay.portal.settings.authentication.ldap.web for Linux 5.0.13Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234