CVE-2022-42132
Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL
5.9
MEDIUM
CVSS 3.1
EPSS 0.33%
Description
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
How to fix CVE-2022-42132
To remediate CVE-2022-42132, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.0.13 or later
- —no fix listed
- —upgrade to 7.4.3.5-ga5 or later
Is CVE-2022-42132 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 7.0.0, <= 7.0.0, >= 7.1.0, <= 7.1.0, >= 7.2.0, <= 7.2.0, >= 7.3.0, <= 7.3.0, >= 7.4.0, <= 7.4.0 | >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-sp1.0, <= 7.1-sp1.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.3-fix.0, <= 7.3-fix.0, >= 7.3-fix.0, <= 7.3-fix.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |