CVE-2022-42126 — Missing permissions check in Liferay Portal

Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

How to fix CVE-2022-42126

To remediate CVE-2022-42126, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.4.3.48 or later

Is CVE-2022-42126 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.3.0, <= 7.3.0, >= 7.4.0, <= 7.4.0 | >= 7.4-update1.0, <= 7.4-update1.0
>= 7.3.5, < 7.4.3.48

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42126
WEBliferay.com
WEBissues.liferay.com/browse/LPE-17593
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126