CVE-2022-42129 — Authorization Bypass in Liferay Portal

Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

How to fix CVE-2022-42129

To remediate CVE-2022-42129, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.4.3.5 or later

Is CVE-2022-42129 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.3.0, <= 7.3.0, >= 7.4.0, <= 7.4.0
>= 7.3.2, < 7.4.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42129
WEBliferay.com
WEBissues.liferay.com/browse/LPE-17448
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129