CVE-2022-42124 — Regex Denial of Service in Portal

CWE-1333 — Regex Denial of Service4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.2%

top 21.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedNov 15

Description

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.2 — 7.4.3.5

▶NVDliferay/digital_experience_platform7.2, 7.3, 7.4+2

🔴Vulnerability Details

GHSA

Inefficient Regular Expression Complexity in Liferay Portal↗2022-11-15

▶

CVEList

CVE-2022-42124: ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7↗2022-11-15

▶

OSV

Inefficient Regular Expression Complexity in Liferay Portal↗2022-11-15

▶