CVE-2022-42120 — Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Fragment Modu

Description

A SQL injection vulnerability in the Fragment module before 4.0.33 from Liferay Portal (7.3.3 through 7.4.3.16), and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

How to fix CVE-2022-42120

To remediate CVE-2022-42120, upgrade the affected package to a fixed version below.

—upgrade to 4.0.33 or later
—upgrade to 7.3.10.u4 or later

Is CVE-2022-42120 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.33
>= 7.3.0, < 7.3.10.u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42120
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/6f94d203f5a194a64055e1e0ba0224d26ec54e47
WEBissues.liferay.com