CVE-2022-42132 — Sensitive Information Exposure in Portal

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 44.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedNov 15

Description

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDliferay/liferay_portal7.0.0 — 7.4.3.5

▶NVDliferay/digital_experience_platform5 versions+4

🔴Vulnerability Details

CVEList

CVE-2022-42132: The Test LDAP Users functionality in Liferay Portal 7↗2022-11-15

▶

OSV

Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL↗2022-11-15

▶

GHSA

Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL↗2022-11-15

▶