CVE-2023-33945

Description

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.

How to fix CVE-2023-33945

To remediate CVE-2023-33945, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 7.4.3.18 or later

Is CVE-2023-33945 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 7.3.0, <= 7.3.0, >= 7.4.0, <= 7.4.0 | >= 7.3-fix.0, <= 7.3-fix.0, >= 7.3-fix.0, <= 7.3-fix.0, >= 7.4-update1.0, <= 7.4-update1.0
• >= 7.3.1, < 7.4.3.18

CVSS scores

References (3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33945
• PATCHgithub.com/liferay/liferay-portal
• WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945